Re: [Tails-dev] 1.3.3 Security Release Prior To 1.4?

On 20/04/15 01:42, Paul_Blart@??? wrote:
> Are you planning on a security release prior to 1.4?

I can't speak for the whole Tails project, but my guess is "no".

> There are several packages since 1.3.2 which should be updated now
> before the 1.4 release. Tor Browser is just one of many.

Tor Browser 4.0.8 essentially only ships a newer Tor (0.2.5.12), and the
only really relevant fix (due to the supported Tails use cases) is the
one for the client-side crash when accessing malicious hidden services,
CVE-2015-2929. Obviously, it can be used to DoS the Tails user, which
isn't so bad when stated simple like that, but since a complete Tor
client crash is involved a malicious exit node operator could do worse.
Example:

A Tails 1.3.2 user (so Tor 0.2.5.11) and the attacker are both connected
to the same IRC channel. The Tails user makes an HTTP (not HTTPS!) fetch
of some (non-HS) website, and happens to pick the attacker's exit node,
which injects a request to some object on a HS that makes the Tor client
crash via CVE-2015-2929. By comparing the "ping timeout" message timing
on the IRC channel with the time of the Tor client crash the HS caused,
the attacker can correlate that IRC user to the HTTP fetch. Of course,
this can can be generalized to (instead of IRC) any service that makes
connection status public, and (instead of HTTP) any protocol that
doesn't use effective end-to-end authentication *and* where one can
inject requests (or redirect) to the crashing HS.

While this is pretty bad, and something that would be great to fix ASAP
in a Tails 1.3.3, my feeling is still that this correlation attack is
pretty circumstantial and hence unlikely to actually be used effectively
in the wild.

> In addition, when browsing the changelog for 1.3.2, I notice there
> were not any listing of changes to several packages which Debian
> updated on their site. Usually you cover updating of security updates
> and provide package names and links (advisories) accordingly. Were
> these other packages updated in 1.3.2?

1.3.2 happened shortly after 1.3.1, so most such changes are listed
there (also see the 1.3 and 1.3.1 security announcements). Tails 1.3.2
was built on March 30th, and has all Debian security fixes available at
that point. The DSAs since then do not look severe, or am I missing
anything?

> Please consider a 1.3.3 release to fix several security issues before
> the long wait to 1.4.

Unless it's explained to us why staying on Tor 0.2.5.11 is worse than we
think, or some other vulnerability is discovered, I do not think this
will happen. Preparing and releasing a Tails release is simply too much
work to justify it with our current understanding of these issues so
that time is better spent on improving Tails 1.4, and automating our
release process so same-day security fixes will be cheap one day.

Cheers!