-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Marek Marczykowski-Górecki wrote:
> On Sat, Apr 12, 2014 at 09:55:42AM +0200, Abel Luck wrote:
>> Saw this, and will reply next week!
>
>> ~abel
>
>> Marek Marczykowski-Górecki:
>>> On 09.04.2014 20:08, Abel Luck wrote:
>>>> Hi Devs,
>>>>
>>>> I've pushed a few patches to qubes-tor to my repo.
>>>>
>>>>
https://github.com/abeluck/qubes-tor/commits/master
>>>>
>>>> One of the comits is pretty critical. Mike Perry of Tor
>>>> Project discovered a bug in the Linux kernel that leaks FIN
>>>> packets under certain circumstances bypassing transparent
>>>> proxying rules.
>>>>
>>>> read more about it here:
>>>>
https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
>>>
[...]
>>>
>>>> It's likely only the first pair is needed, and you may want
>>>> to comment out the --ctstate LOG line as I did to limit
>>>> noise for successfully handled --ctstate INVALID DROP
>>>> blocks.
>>>
>>>> I did test this with the above repro method, and --ctstate
>>>> INVALID did appear sufficient by itself, but reports of any
>>>> --ctstate DROP rule bypass happening will be tremendously
>>>> useful (which will result in the later LOG lines being hit,
>>>> and sending output to 'dmesg').
>>>
>>> Also iptables manual says that the "state" module is an
>>> obsolete version of "conntrack".
>
> I didn't get any reply... Anyway applied, a year later.
>
So, does this mean that Qubes TorVM users have been leaking packets
for well over a year now? Sounds pretty bad. Is it recommended not to
use TorVM if [ano|pseudo]nymity is desired (which is probably the only
reason to use it in the first place), at least until this patch
becomes available?
BTW, how do/have Whonix and Qubes+Whonix fare(d) wrt this bug?
Sounds like there was some controversy over how to test for it,
esp. on different isolation methods (physical, Xen, KVM, VirtualBox,
etc.):
https://www.whonix.org/forum/index.php?topic=331.0
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVMnwWAAoJEJh4Btx1RPV8UWUQAM5ELKaIS7Esf9YeoSuU3/Ys
lVWzFR8bBkoRNxHHIXuFSaBtcpl36OpdNvWqR/vVVq6OeeVwADmCkPBoxEzLVNY3
hUYIl4x53t87wbJKXN9xxaBj2nmbQhPCo35Dl1Y42Qd/AfQU2ctCMdJdfjJR/bu0
X3lfYF7izF3e9kM89dBtydYYXXX4Y27nQn70LcAe3vIARmLM/5Zpjz7Jthc9ALd9
VRCTEgYC6RKYOIieHiUSukmFOyOE6zv03uCChfVlkxJ8FPjneG3Hs59TVNR81AyZ
Xv/gLpQb06LOZALQRlboWusOxlUOGzXJc7U+XXEVTJMY0vpF5eseCvBGOv0ebBgL
H6ma7C4dpLsrxI8H6+nDXKIXSYojGPvjPrufr9GFmeEZYPFF9/97A0YtQDNLVOqj
Or89S5/hsu6/994xl8IWg6/jVf5lCh1aGr2jWOGWm+Xv/XfBbxYkt07cEn/wtp7W
Ckm6X1aoiEK5OJOVittiN+gZ5y09dZJ4lYRsh7BdjpfX+yNatuG5rMR+EB6qdoZI
GDAbnkViNhKWsldD+A9Xr4all58HUYZrMWLixH1kl3susB/NIELdBAJyG3GOBQR8
ka51Vy8EHCllLmdgj4byXwsXx189WteHaH4B2femayskzYQQleknvYNVn2b6v0t2
OWANvUPn/rPQf264MBdh
=dhGU
-----END PGP SIGNATURE-----