Date: Fri, 16 Jun 2017 07:03:08 +0000 (UTC) From: Kurt Jaeger <pi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r443670 - in branches/2017Q2/security/tor-devel: . files Message-ID: <201706160703.v5G738DC017652@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pi Date: Fri Jun 16 07:03:08 2017 New Revision: 443670 URL: https://svnweb.freebsd.org/changeset/ports/443670 Log: security/tor-devel: update 0.3.0.3-alpha -> 0.3.1.3-alpha - fixes two remote DoS vulnerabilities related to hidden services https://lists.torproject.org/pipermail/tor-talk/2017-June/043244.html - disabled the new compression options for now, since at least one of them has a bug, see here: https://trac.torproject.org/projects/tor/ticket/22550 PR: 219248, 219864 Submitted by: Yuri Victorovich <yuri@rawbw.com> (maintainer) Approved by: ports-secteam (miwi, feld) MFH: 2017Q2 Relnotes: https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.3.1.3-alpha Security: TROVE-2017-002, CVE-2017-0375, CVE-2017-0376 Modified: branches/2017Q2/security/tor-devel/Makefile branches/2017Q2/security/tor-devel/distinfo branches/2017Q2/security/tor-devel/files/pkg-message.in branches/2017Q2/security/tor-devel/files/tor.in branches/2017Q2/security/tor-devel/pkg-descr branches/2017Q2/security/tor-devel/pkg-plist Modified: branches/2017Q2/security/tor-devel/Makefile ============================================================================== --- branches/2017Q2/security/tor-devel/Makefile Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/Makefile Fri Jun 16 07:03:08 2017 (r443670) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= tor -DISTVERSION= 0.3.0.3-alpha +DISTVERSION= 0.3.1.3-alpha CATEGORIES= security net ipv6 MASTER_SITES= TOR PKGNAMESUFFIX= -devel @@ -13,32 +13,32 @@ COMMENT= Anonymizing overlay network for TCP LICENSE= BSD3CLAUSE LICENSE_FILE= ${WRKSRC}/LICENSE -BROKEN_mips64= Does not build: error: Need a uint128_t implementation! -BROKEN_powerpc64= Does not build -BROKEN_sparc64= Does not build: error: Need a uint128_t implementation! +BROKEN_mips64= does not build: error: Need a uint128_t implementation! +BROKEN_powerpc64= does not build: error: Need a uint128_t implementation! +BROKEN_sparc64= does not build: error: Need a uint128_t implementation! -USES= cpe gmake +USES= cpe gmake pkgconfig CPE_VENDOR= torproject -#CPE_VERSION= ${DISTVERSION:C/-.*//} -#CPE_UPDATE= ${DISTVERSION:C/.*-//} GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-openssl-dir="${OPENSSLBASE}" +CONFIGURE_ARGS= --with-openssl-dir="${OPENSSLBASE}" \ + --disable-lzma \ + --disable-zstd CONFIGURE_ENV= TOR_CPPFLAGS_libevent="-I${LOCALBASE}/include" \ TOR_LDFLAGS_libevent="-L${LOCALBASE}/lib/" \ TOR_LIBEVENT_LIBS="${TOR_LIBEVENT_LIBS}" -OPTIONS_DEFINE= MANPAGES STATIC_TOR TCMALLOC TOR2WEB TRANSPARENT +OPTIONS_DEFINE= MANPAGES DOCS STATIC_TOR TCMALLOC TOR2WEB +OPTIONS_DEFAULT=MANPAGES OPTIONS_SUB= yes STATIC_TOR_DESC= Build a static tor TCMALLOC_DESC= Use the tcmalloc memory allocation library TOR2WEB_DESC= (EXPERT OPTION) Faster but non-anonymous hidden services -TRANSPARENT_DESC= Transparent proxy support -OPTIONS_DEFAULT= MANPAGES TRANSPARENT - USE_RC_SUBR= tor SUB_FILES= pkg-message +SUB_LIST= USER="${USERS}" GROUP="${GROUPS}" +PLIST_SUB= USER="${USERS}" GROUP="${GROUPS}" GROUPS= _tor USERS= _tor @@ -48,11 +48,14 @@ CONFLICTS= tor-[0-9]* STATIC_TOR_USES= ssl:build STATIC_TOR_USES_OFF= ssl -MANPAGES_BUILD_DEPENDS= asciidoc:textproc/asciidoc -MANPAGES_CONFIGURE_OFF= --disable-asciidoc - .include <bsd.port.options.mk> +.if ${PORT_OPTIONS:MDOCS} || ${PORT_OPTIONS:MMANPAGES} +BUILD_DEPENDS+= asciidoc:textproc/asciidoc +.else +CONFIGURE_ARGS+= --disable-asciidoc +.endif + .if !defined(USE_GCC) && empty(CC:T:M*gcc4*) && \ empty(PORT_OPTIONS:MSTATIC_TOR) && empty(ARCH:Mia64) CONFIGURE_ARGS+= --enable-gcc-hardening @@ -84,12 +87,6 @@ LIB_DEPENDS+= libtcmalloc.so:devel/google-perftools CONFIGURE_ARGS+= --enable-tor2web-mode .endif -.if ${PORT_OPTIONS:MTRANSPARENT} -CONFIGURE_ARGS+= --enable-transparent -.else -CONFIGURE_ARGS+= --disable-transparent -.endif - pre-everything:: .if ${PORT_OPTIONS:MTOR2WEB} @${ECHO_MSG} @@ -116,12 +113,8 @@ post-patch-STATIC_TOR-on: @${REINPLACE_CMD} -e "s@-ltcmalloc@${LOCALBASE}/lib/libtcmalloc.a@" \ ${WRKSRC}/configure -post-configure: - @${REINPLACE_CMD} -e '\|^nodist_man1_MANS =|s|$$|$$(install_mans:=.1)|' \ - ${WRKSRC}/Makefile - post-install: - @${MKDIR} ${STAGEDIR}/var/log/tor ${STAGEDIR}/var/run/tor + @${MKDIR} ${STAGEDIR}/var/log/tor ${STAGEDIR}/var/run/tor ${STAGEDIR}/var/db/tor .if ! ${PORT_OPTIONS:MTOR2WEB} check regression-test test: build Modified: branches/2017Q2/security/tor-devel/distinfo ============================================================================== --- branches/2017Q2/security/tor-devel/distinfo Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/distinfo Fri Jun 16 07:03:08 2017 (r443670) @@ -1,3 +1,3 @@ -TIMESTAMP = 1486672862 -SHA256 (tor-0.3.0.3-alpha.tar.gz) = 739adb4a7ae1eb12582a667d56f7e8348123b1e00fe9d8a6159776df6dba7a87 -SIZE (tor-0.3.0.3-alpha.tar.gz) = 5738504 +TIMESTAMP = 1496960997 +SHA256 (tor-0.3.1.3-alpha.tar.gz) = 05b0fd6b1d119d038dc0a4e00261b821e1be0b96c83fbc6251cb25d5435ed9b4 +SIZE (tor-0.3.1.3-alpha.tar.gz) = 5946205 Modified: branches/2017Q2/security/tor-devel/files/pkg-message.in ============================================================================== --- branches/2017Q2/security/tor-devel/files/pkg-message.in Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/files/pkg-message.in Fri Jun 16 07:03:08 2017 (r443670) @@ -11,4 +11,12 @@ exploits sequential IP IDs by setting: sysctl net.inet.ip.random_id=1 (see sysctl.conf(5)). + +In order to run additional, independent instances of tor on the same machine +set tor_instances="inst1 inst2 ..." in your /etc/rc.conf, and create the +corresponding additional configuration files %%PREFIX%%/etc/tor/torrc@inst1, ... + +Alternatively, you can use the extended instance definition to specify all +instance parameteres explicitly: +inst_name{:inst_conf:inst_user:inst_group:inst_pidfile:inst_data_dir} ================================================================================ Modified: branches/2017Q2/security/tor-devel/files/tor.in ============================================================================== --- branches/2017Q2/security/tor-devel/files/tor.in Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/files/tor.in Fri Jun 16 07:03:08 2017 (r443670) @@ -11,25 +11,100 @@ # they are command line options. # # tor_enable (bool): Set it to "YES" to enable tor. Default: NO +# tor_instances (str): List of instances. Default: "" # tor_conf (str): Points to your torrc file. # Default: %%PREFIX%%/etc/tor/torrc -# tor_user (str): Tor daemon user. Default: _tor +# tor_user (str): Tor daemon user. Default: %%USER%% +# tor_group (str): Tor group. Default: %%GROUP%% +# tor_pidfile (str): Tor pid file. Default: /var/run/tor/tor.pid # tor_datadir (str): Tor datadir. Default: /var/db/tor +# tor_disable_default_instance (str): Doesn't run the default instance. +# Only valid when tor_instances is used. +# Default: NO # +# The instance definition that tor_instances expects: +# inst_name{:inst_conf:inst_user:inst_group:inst_pidfile:inst_data_dir} +# . /etc/rc.subr name="tor" rcvar=tor_enable +exit_code=0 load_rc_config ${name} : ${tor_enable="NO"} +: ${tor_instances=""} : ${tor_conf="%%PREFIX%%/etc/tor/torrc"} -: ${tor_user="_tor"} +: ${tor_user="%%USER%%"} +: ${tor_group="%%GROUP%%"} : ${tor_pidfile="/var/run/tor/tor.pid"} : ${tor_datadir="/var/db/tor"} +: ${tor_disable_default_instance="NO"} +instance=${slave_instance} +if [ -n "${instance}" ]; then + inst_def=${instance} + inst_name=${inst_def%%:*} + [ "${inst_name}" != "main" ] || err 1 "${name} instance can't be named 'main'" + inst_def=${inst_def#$inst_name} + if [ -n "$inst_def" ]; then + # extended instance: parameters are set explicitly + inst_def=${inst_def#:} + tor_conf=${inst_def%%:*} + inst_def=${inst_def#$tor_conf:} + tor_user=${inst_def%%:*} + inst_def=${inst_def#$tor_user:} + tor_group=${inst_def%%:*} + inst_def=${inst_def#$tor_group:} + tor_pidfile=${inst_def%%:*} + tor_datadir=${inst_def#$tor_pidfile:} + if [ -z "${tor_conf}" -o -z "${tor_user}" -o -z "${tor_group}" -o -z "${tor_pidfile}" -o -z "${tor_datadir}" ]; then + warn "invalid tor instance ${inst_name} settings: ${instance}" + exit 1 + fi + else + # regular instance: default parameters are used + tor_conf=${tor_conf}@${inst_name} + tor_pidfile=${tor_pidfile}@${inst_name} + tor_datadir=${tor_datadir}/instance@${inst_name} + fi + if ! [ -r ${tor_conf} ]; then + warn "tor instance ${inst_name} config file ${tor_conf} doesn't exist or isn't readable" + warn "you can copy the sample config %%PREFIX%%/etc/tor/torrc.sample and modify it" + exit 1 + fi + if ! [ -d ${tor_datadir} ]; then + mkdir -p ${tor_datadir} && + chown ${tor_user}:${tor_group} ${tor_datadir} && + chmod 0700 ${tor_datadir} && + echo "${name}: created the instance data directory ${tor_datadir}" + fi +fi + +if [ -z "${instance}" -a -n "${tor_instances}" ]; then + inst_only="$2" + inst_done=0 + for i in ${tor_instances}; do + inst_name=${i%%:*} + if [ -z "${inst_only}" -o "${inst_name}" = "${inst_only}" ]; then + echo -n "${name} instance ${inst_name}: " + if ! slave_instance=${i} %%PREFIX%%/etc/rc.d/tor "$1"; then + exit_code=1 + fi + inst_done=$((inst_done+1)) + fi + done + if [ -z "${inst_only}" -o "${inst_only}" = "main" ]; then + checkyesno tor_disable_default_instance && return $exit_code + echo -n "${name} main instance: " + elif [ -n "${inst_only}" ]; then + [ $inst_done -gt 0 ] || err 1 "${name} instance '$inst_only' isn't defined" + return $exit_code + fi +fi + required_files=${tor_conf} required_dirs=${tor_datadir} pidfile=${tor_pidfile} @@ -37,5 +112,8 @@ command="%%PREFIX%%/bin/${name}" command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir}" extra_commands="reload" -run_rc_command "$1" +if ! run_rc_command "$1"; then + exit_code=1 +fi +return $exit_code Modified: branches/2017Q2/security/tor-devel/pkg-descr ============================================================================== --- branches/2017Q2/security/tor-devel/pkg-descr Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/pkg-descr Fri Jun 16 07:03:08 2017 (r443670) @@ -13,4 +13,4 @@ anonymity, safety, and privacy features. Remember that this is development code -- DON'T RELY ON THE CURRENT TOR NETWORK FOR ANONYMITY! -WWW: http://torproject.org/ +WWW: https://www.torproject.org/ Modified: branches/2017Q2/security/tor-devel/pkg-plist ============================================================================== --- branches/2017Q2/security/tor-devel/pkg-plist Fri Jun 16 06:59:31 2017 (r443669) +++ branches/2017Q2/security/tor-devel/pkg-plist Fri Jun 16 07:03:08 2017 (r443670) @@ -7,11 +7,12 @@ bin/torify %%MANPAGES%%man/man1/tor-resolve.1.gz %%MANPAGES%%man/man1/tor.1.gz %%MANPAGES%%man/man1/torify.1.gz -%%MANPAGES%%%%PORTDOCS%%%%DOCSDIR%%/tor-gencert.html -%%MANPAGES%%%%PORTDOCS%%%%DOCSDIR%%/tor-resolve.html -%%MANPAGES%%%%PORTDOCS%%%%DOCSDIR%%/tor.html -%%MANPAGES%%%%PORTDOCS%%%%DOCSDIR%%/torify.html +%%PORTDOCS%%%%DOCSDIR%%/tor-gencert.html +%%PORTDOCS%%%%DOCSDIR%%/tor-resolve.html +%%PORTDOCS%%%%DOCSDIR%%/tor.html +%%PORTDOCS%%%%DOCSDIR%%/torify.html %%DATADIR%%/geoip %%DATADIR%%/geoip6 -@dir(_tor,_tor,750) /var/run/tor -@dir(_tor,_tor,750) /var/log/tor +@dir(%%USER%%,%%GROUP%%,700) /var/run/tor +@dir(%%USER%%,%%GROUP%%,700) /var/log/tor +@dir(%%USER%%,%%GROUP%%,700) /var/db/tor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706160703.v5G738DC017652>