904441 – <net-p2p/freenet-0.7.5_p1497: Path folding (deanonymization) vulnerability

Bug 904441 - <net-p2p/freenet-0.7.5_p1497: Path folding (deanonymization) vulnerability

Summary: <net-p2p/freenet-0.7.5_p1497: Path folding (deanonymization) vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:	PullRequest

Depends on:	907210
Blocks:
	Show dependency tree

Reported:	2023-04-17 09:43 UTC by Sam James
Modified:	2024-07-24 06:11 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/30643 https://github.com/gentoo/gentoo/pull/31223
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-04-17 09:43:38 UTC

From https://github.com/hyphanet/fred/releases/tag/build01497:
"""
Freenet 0.7.5 build 1497 is now available. [overview]

This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.

This vulnerability was reported to the Project by Prof. Ming Yang and
Prof. Zhen Ling from the School of Computer Science and Engineering,
Southeast University, Prof. Xinwen Fu from the Miner School of
Computer & Information Sciences, University of Massachusetts Lowell,
and Yonghuan Xu from School of Cyber Science and Engineering,
Southeast university.

Yonghuan also provided support in fixing the vulnerability. Thank you
very much!

To reduce the probability of hitting other problems in path folding,
we also merged the pull-request to completely avoid path folding at
HTL 17 or higher.
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-05-26 10:24:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26ab26e07b2cbfb44b62a3854a4f54b9a9344e2b

commit 26ab26e07b2cbfb44b62a3854a4f54b9a9344e2b
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-04-21 11:14:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-26 10:24:08 +0000

    net-p2p/freenet: add 0.7.5_p1497
    
    Switches to java-pkg-simple
    Bundles binary version of pebble
    Depends on freenet-ext with much smaller download than net-libs/nativebiginteger
    EAPI 8
    Enables tests
    Changes test dependency hamcrest-*-1.3 -> hamcrest-2
    Skips two failing tests via patch
    Adds verify-sig
    Adds Add-opens: to MANIFEST.MF for runtime
    Updates metadata remote-id
    Partly moves handling of freenet-wrapper.conf to src_compile
    Depends on bug #878869
    
    Bug: https://bugs.gentoo.org/904441
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/30643
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/freenet/Manifest                           |   4 +
 .../freenet-0.7.5_p1497-ignore-failing-tests.patch |  37 ++++
 net-p2p/freenet/freenet-0.7.5_p1497.ebuild         | 226 +++++++++++++++++++++
 net-p2p/freenet/metadata.xml                       |   2 +-
 4 files changed, 268 insertions(+), 1 deletion(-)

Comment 2 Larry the Git Cow gentoo-dev

2023-05-30 03:41:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6062a50abf0264d32916f1337aab70d5318bf7ee

commit 6062a50abf0264d32916f1337aab70d5318bf7ee
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-05-26 15:06:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:40:56 +0000

    net-p2p/freenet: drop versions
    
    Bug: https://bugs.gentoo.org/904441
    Closes: https://bugs.gentoo.org/899216
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/31223
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-p2p/freenet/Manifest                           |   4 -
 net-p2p/freenet/files/0.7.5_p1475-remove-git.patch |  24 --
 net-p2p/freenet/files/0.7.5_p1483-ext.patch        |  22 --
 .../files/0.7.5_p1491-update-for-jna-5.x.patch     |  31 --
 net-p2p/freenet/files/build-clean.xml              | 421 ---------------------
 net-p2p/freenet/files/build.properties             |  95 -----
 .../freenet/files/freenet-0.7.5_p1474-wrapper.conf |  27 --
 net-p2p/freenet/files/freenet.initd                |  11 -
 net-p2p/freenet/files/freenet.old                  |  18 -
 net-p2p/freenet/freenet-0.7.5_p1491-r1.ebuild      | 165 --------
 net-p2p/freenet/freenet-0.7.5_p1491.ebuild         | 164 --------
 net-p2p/freenet/freenet-0.7.5_p1492.ebuild         | 165 --------
 net-p2p/freenet/freenet-0.7.5_p1493-r1.ebuild      | 178 ---------
 net-p2p/freenet/freenet-0.7.5_p1493.ebuild         | 164 --------
 14 files changed, 1489 deletions(-)

Comment 3 John Helmert III archtester

2023-05-30 03:43:07 UTC

Thanks!

Comment 4 Larry the Git Cow gentoo-dev

2024-07-24 06:10:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=13a66c5def0d04b908b4e9faf4975aebf3c111a0

commit 13a66c5def0d04b908b4e9faf4975aebf3c111a0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-24 06:10:44 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-24 06:10:57 +0000

    [ GLSA 202407-28 ] Freenet: Deanonymization Vulnerability
    
    Bug: https://bugs.gentoo.org/904441
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-28.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)