Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 904441 - <net-p2p/freenet-0.7.5_p1497: Path folding (deanonymization) vulnerability
Summary: <net-p2p/freenet-0.7.5_p1497: Path folding (deanonymization) vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords: PullRequest
Depends on: 907210
Blocks:
  Show dependency tree
 
Reported: 2023-04-17 09:43 UTC by Sam James
Modified: 2024-07-24 06:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-04-17 09:43:38 UTC
From https://github.com/hyphanet/fred/releases/tag/build01497:
"""
Freenet 0.7.5 build 1497 is now available. [overview]

This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.

This vulnerability was reported to the Project by Prof. Ming Yang and
Prof. Zhen Ling from the School of Computer Science and Engineering,
Southeast University, Prof. Xinwen Fu from the Miner School of
Computer & Information Sciences, University of Massachusetts Lowell,
and Yonghuan Xu from School of Cyber Science and Engineering,
Southeast university.

Yonghuan also provided support in fixing the vulnerability. Thank you
very much!

To reduce the probability of hitting other problems in path folding,
we also merged the pull-request to completely avoid path folding at
HTL 17 or higher.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-05-26 10:24:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26ab26e07b2cbfb44b62a3854a4f54b9a9344e2b

commit 26ab26e07b2cbfb44b62a3854a4f54b9a9344e2b
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-04-21 11:14:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-26 10:24:08 +0000

    net-p2p/freenet: add 0.7.5_p1497
    
    Switches to java-pkg-simple
    Bundles binary version of pebble
    Depends on freenet-ext with much smaller download than net-libs/nativebiginteger
    EAPI 8
    Enables tests
    Changes test dependency hamcrest-*-1.3 -> hamcrest-2
    Skips two failing tests via patch
    Adds verify-sig
    Adds Add-opens: to MANIFEST.MF for runtime
    Updates metadata remote-id
    Partly moves handling of freenet-wrapper.conf to src_compile
    Depends on bug #878869
    
    Bug: https://bugs.gentoo.org/904441
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/30643
    Signed-off-by: Sam James <sam@gentoo.org>

 net-p2p/freenet/Manifest                           |   4 +
 .../freenet-0.7.5_p1497-ignore-failing-tests.patch |  37 ++++
 net-p2p/freenet/freenet-0.7.5_p1497.ebuild         | 226 +++++++++++++++++++++
 net-p2p/freenet/metadata.xml                       |   2 +-
 4 files changed, 268 insertions(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2023-05-30 03:41:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6062a50abf0264d32916f1337aab70d5318bf7ee

commit 6062a50abf0264d32916f1337aab70d5318bf7ee
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-05-26 15:06:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-30 03:40:56 +0000

    net-p2p/freenet: drop versions
    
    Bug: https://bugs.gentoo.org/904441
    Closes: https://bugs.gentoo.org/899216
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/31223
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-p2p/freenet/Manifest                           |   4 -
 net-p2p/freenet/files/0.7.5_p1475-remove-git.patch |  24 --
 net-p2p/freenet/files/0.7.5_p1483-ext.patch        |  22 --
 .../files/0.7.5_p1491-update-for-jna-5.x.patch     |  31 --
 net-p2p/freenet/files/build-clean.xml              | 421 ---------------------
 net-p2p/freenet/files/build.properties             |  95 -----
 .../freenet/files/freenet-0.7.5_p1474-wrapper.conf |  27 --
 net-p2p/freenet/files/freenet.initd                |  11 -
 net-p2p/freenet/files/freenet.old                  |  18 -
 net-p2p/freenet/freenet-0.7.5_p1491-r1.ebuild      | 165 --------
 net-p2p/freenet/freenet-0.7.5_p1491.ebuild         | 164 --------
 net-p2p/freenet/freenet-0.7.5_p1492.ebuild         | 165 --------
 net-p2p/freenet/freenet-0.7.5_p1493-r1.ebuild      | 178 ---------
 net-p2p/freenet/freenet-0.7.5_p1493.ebuild         | 164 --------
 14 files changed, 1489 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-30 03:43:07 UTC
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2024-07-24 06:10:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=13a66c5def0d04b908b4e9faf4975aebf3c111a0

commit 13a66c5def0d04b908b4e9faf4975aebf3c111a0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-24 06:10:44 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-24 06:10:57 +0000

    [ GLSA 202407-28 ] Freenet: Deanonymization Vulnerability
    
    Bug: https://bugs.gentoo.org/904441
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-28.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)