[tor-talk] Another openssl advisory: Tor seems not to be affected (Chroot?)

Fabio Pietrosanti (naif) lists at infosecurity.ch
Thu Apr 19 15:50:23 UTC 2012


Should we move all the "listening part" of Tor to an empty Chroot?

That way, even in case of a software exploit against OpenSSL, there
would be no serious risks of compromise due to OpenSSL code (a big, fat
library) running in it's own chroot.

Apache does it with Mod_Security:
http://www.modsecurity.org/documentation/apache-internal-chroot.html

ProFTPD does it with DefaultRoot:
http://www.proftpd.org/docs/directives/linked/config_ref_DefaultRoot.html

OpenVPN support Chroot by commandline argument.

I'm wondering how complex it would be to implement Chroot support for
Tor, directly within Tor code (with no painful sistemistic tricks).

-naif
On 4/19/12 4:52 PM, Nick Mathewson wrote:
> Hi, all!
> 
> It looks like there is an openssl security advisory affecting some but
> not all of the ASN.1 parsing code. The announcement is here:
> 
> http://openssl.org/news/secadv_20120419.txt
> 
> And the full-disclosure posting is here:
> 
> http://seclists.org/fulldisclosure/2012/Apr/210
> 
> It looks like there is an openssl security advisory affecting some but
> not all of the ASN.1 parsing code.  In short, the d2i_*_bio functions
> and the d2i_*_fp functions are vulnerable to hostile input, but the
> regular in-memory d2i_* functions, and the PEM_* functions, are not.
> Tor only calls the safe d2i_* functions and the safe PEM_* functions,
> and (as near as I can tell) doesn't call any part of OpenSSL that
> calls an unsafe function.
> 
> So it appears that Tor is not affected by this.  (I invite everybody
> to check my work here, of course.)
> 
> So if you saw the original announcment and were wondering, "Do I need
> to upgrade my Tor's OpenSSL right now?" then the answer is "probably
> not."  If you've got other programs that use OpenSSL, though, an
> upgrade could be in order: with any luck, your operating system (or
> the programs themselves) will handle that for you, if they've got a
> decent security update system.
> 
> Just to be sure, future versions of the Tor packages we build ought to
> ship with OpenSSL 1.0.1a or later.
> 
> yrs,



More information about the tor-talk mailing list