Should we move all the "listening part" of Tor to an empty Chroot?
That way, even in case of a software exploit against OpenSSL, there would be no serious risks of compromise due to OpenSSL code (a big, fat library) running in it's own chroot. Apache does it with Mod_Security: http://www.modsecurity.org/documentation/apache-internal-chroot.html ProFTPD does it with DefaultRoot: http://www.proftpd.org/docs/directives/linked/config_ref_DefaultRoot.html OpenVPN support Chroot by commandline argument. I'm wondering how complex it would be to implement Chroot support for Tor, directly within Tor code (with no painful sistemistic tricks). -naif On 4/19/12 4:52 PM, Nick Mathewson wrote: > Hi, all! > > It looks like there is an openssl security advisory affecting some but > not all of the ASN.1 parsing code. The announcement is here: > > http://openssl.org/news/secadv_20120419.txt > > And the full-disclosure posting is here: > > http://seclists.org/fulldisclosure/2012/Apr/210 > > It looks like there is an openssl security advisory affecting some but > not all of the ASN.1 parsing code. In short, the d2i_*_bio functions > and the d2i_*_fp functions are vulnerable to hostile input, but the > regular in-memory d2i_* functions, and the PEM_* functions, are not. > Tor only calls the safe d2i_* functions and the safe PEM_* functions, > and (as near as I can tell) doesn't call any part of OpenSSL that > calls an unsafe function. > > So it appears that Tor is not affected by this. (I invite everybody > to check my work here, of course.) > > So if you saw the original announcment and were wondering, "Do I need > to upgrade my Tor's OpenSSL right now?" then the answer is "probably > not." If you've got other programs that use OpenSSL, though, an > upgrade could be in order: with any luck, your operating system (or > the programs themselves) will handle that for you, if they've got a > decent security update system. > > Just to be sure, future versions of the Tor packages we build ought to > ship with OpenSSL 1.0.1a or later. > > yrs, _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk