Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#9150 closed defect (fixed)

Fully hardening the tor binary does not work in TBB 3.0a2 on Linux

Reported by: gk Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: tbb-3.0, tbb-security
Cc: intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Checking the 3.0a2 bundles on Linux 32bit with the checksec script showed that the tor binary is not fully hardened (RPATH is still available) while the firefox binary is fine.

Child Tickets

Change History (23)

comment:1 Changed 6 years ago by gk

Summary: Fully hardening the tor binary does not work in TBB 3.0a2 on Linux 32bitFully hardening the tor binary does not work in TBB 3.0a2 on Linux

The same with 64bit.

comment:2 Changed 6 years ago by gk

Parent ID: #10065

Still true for 3.5 (and 3.5.1).

comment:3 Changed 6 years ago by mikeperry

Keywords: tbb-security added

comment:4 Changed 6 years ago by cypherpunks

Any update on this? Otherwise i'll give it a try.

comment:5 Changed 6 years ago by gk

Patches are welcome :)

comment:6 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:7 Changed 5 years ago by gk

Keywords: needs-triage removed

comment:8 Changed 5 years ago by intrigeri

Cc: intrigeri added

comment:9 Changed 5 years ago by mikeperry

Resolution: fixed
Status: newclosed

I think this should be fixed in 3.6.5 and 4.0-alpha-2?

comment:10 in reply to:  9 Changed 5 years ago by gk

Parent ID: #10065
Resolution: fixed
Status: closedreopened

Replying to mikeperry:

I think this should be fixed in 3.6.5 and 4.0-alpha-2?

No.

comment:11 Changed 5 years ago by cypherpunks

Is it possible to get config.log after gitian-tor.yml descriptor finished?

It's somehow extra options used to found by configure script for proper linking with libs.
It tries to test with "(none)" or "-Wl,-R$tor_trydir" or "-R$tor_trydir" or "-Wl,-rpath,$tor_trydir". And only last working during linking with libevent and openssl, those generating RPATH section for result binary.

comment:12 Changed 5 years ago by cypherpunks

only last working

Or it was second one:

           For compatibility with other ELF linkers, if the -R option is
           followed by a directory name, rather than a file name, it is
           treated as the -rpath option

comment:13 Changed 5 years ago by cypherpunks

Status: reopenedneeds_review
--- gitian-tor.yml.original
+++ gitian-tor.yml
@@ -61,6 +61,7 @@
   cp $INSTDIR/openssl/lib/libcrypto.so.1.0.0 $INSTDIR/Tor/
   cp $INSTDIR/libevent/lib/libevent-2.0.so.5 $INSTDIR/Tor/
   chmod 700 $INSTDIR/Tor/*so*
+  export PATH=$PATH:$INSTDIR/Tor
 
   # Building tor
   cd tor

Lets test.

comment:14 Changed 5 years ago by gk

Status: needs_reviewneeds_revision

Nope, RPATH is still available.

comment:15 Changed 5 years ago by cypherpunks

export PATH=$PATH:$INSTDIR/Tor
Nope, RPATH is still available.

It should be LD_LIBRARY_PATH of course.

comment:16 Changed 5 years ago by cypherpunks

Status: needs_revisionneeds_review
--- gitian-tor.yml.original
+++ gitian-tor.yml
@@ -61,6 +61,7 @@
   cp $INSTDIR/openssl/lib/libcrypto.so.1.0.0 $INSTDIR/Tor/
   cp $INSTDIR/libevent/lib/libevent-2.0.so.5 $INSTDIR/Tor/
   chmod 700 $INSTDIR/Tor/*so*
+  export LD_LIBRARY_PATH="$INSTDIR/Tor/"
 
   # Building tor
   cd tor

Lets test #2.

comment:17 Changed 5 years ago by gk

Yeah, that fixes it, nice.

comment:18 Changed 5 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Fixed in commit 29c156d5085d2c186cf6f0cc12eba45dcea8992e (master) and 4abb92271aef3256ca1838c5c9669d73cd605641 (maint-3.6). Thanks!

comment:19 Changed 5 years ago by cypherpunks_backup

Resolution: fixed
Status: closedreopened

.

comment:20 Changed 5 years ago by cypherpunks_backup

Resolution: wontfix
Status: reopenedclosed

comment:21 Changed 5 years ago by gk

Resolution: wontfix
Status: closedreopened

Please, stop doing that. The ticket was fixed.

comment:22 Changed 5 years ago by gk

Resolution: fixed
Status: reopenedclosed

comment:23 Changed 5 years ago by cypherpunks_backup

Please, stop doing that. The ticket was fixed.

Please don't close another tickets with cryptic wontfix resolution.

Note: See TracTickets for help on using tickets.