tor-android
tor-android copied to clipboard
guardianproject
Update to xz 5.2.5 and zstd 1.5.0
Fix some changed zstd 1.5.0 include paths and openssl not found error during configuration of libevent 2.1.12.
From the changelogs, all of these version updates are only for bugfixes and do not include any ABI changes.
@syphyr thanks for doing this. Can you tell us about what kind of testing you did? Are there any notable bug fixes included here?
I have been testing these updated library versions on the arm64 variant for several months without any issues. The only thing I have not been able to test are hidden services.
Some notable changes for libevent 2.1.12 include fixing several dns bugs and a signal leak issue.
Openssl 1.1.1l fixes CVE-2021-3711 and CVE-2021-3712.
xz 5.2.5 has some memory leak fixes.
zstd 1.5.0 fixes some compression bugs (divide by zero).
Also, we should update tor to 0.4.6.8. Worth noting for tor 0.4.6.8 is a fix on how we use DNS timeout to report general overload. I did not include tor in this list because of the additional patches required on top of the tor submodule.
I'm happy to see updates here as often as is useful. Most of the work is testing everything, especially once we nail down the last couple bugs in the reproducible build (It is already reproducible in the same environment/machine, there might be a couple bugs left when building on different machines).
May I ask who "we" is in this context?
And what patches would be needed here to support 0.4.6.8? It seems wrong that bumping tor from 0.4.6.7 to 0.4.6.8 would require patches to this project since it only builds tor and then handles the startup/shutdown procedure.
There are always 12 additional patches applied to the tor submodule for the orbot interface.
Here is an example of a tor branch that is rebased against those 12 additional commits for orbot:
https://github.com/syphyr/tor/commits/release-0.4.6
When I say "we", I mean this project.
Because the tor submodule is getting rebased each time there is a new tor version, it is not possible to reference it without permission to the guardian project tor repo. So that's why I could not include tor in the list of library updates.
I pushed a trial update of guardianproject/tor to 0.4.6.8: https://gitlab.com/eighthave/tor/-/pipelines/412437311
I assume those two failures about "On Android, LOCALSTATEDIR should be set to static path" are unrelated?
Tor Browser 11.5a1-build2 is using:
- libevent 2.1.12
- OpenSSL 1.1.1l
- zstd 1.4.8
I wonder if zstd 1.4 -> 1.5 is a big change?
I'm going to cherry pick openssl 1.1.1l and libevent 2.1.12 in the mean time. Thanks @syphyr!
I included the OpenSSL and libevent bumps:
- 61e868b067a13b433f291264818fca8d88c9d1f1
- 3887f71bf19e343d6a166c2ba8ecd315ccb95f1e
And this bonus catch:
- e8fd390926c66a166279219279e8d4679285d618
The latest stable branch for xz is "v5.2" which fixes the following cve: https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 So, it is safe to assume the current version of xz used here is vulnerable.
updated xz to v5.2 libevent is at 2.1.12 tor is now at 0.4.7.11
zstd is still at 1.4.8