Merge remote-tracking branch 'origin/maint-0.2.2' into release-0.2.2

6 files changed, 47 insertions, 5 deletions

diff --git a/changes/bug6530 b/changes/bug6530
new file mode 100644
index 0000000000..825bbb752a
--- /dev/null
+++ b/changes/bug6530
@@ -0,0 +1,5 @@
+  o Major security fixes:
+    - Avoid a read of uninitializd RAM when reading a vote or consensus
+      document with an unrecognized flavor name. This could lead to a
+      remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
+      
diff --git a/changes/geoip-june2012 b/changes/geoip-june2012
new file mode 100644
index 0000000000..f73bf35529
--- /dev/null
+++ b/changes/geoip-june2012
@@ -0,0 +1,3 @@
+  o Minor features:
+    - Update to the June 6 2012 Maxmind GeoLite Country database.
+
diff --git a/changes/pathsel-BUGGY-a b/changes/pathsel-BUGGY-a
new file mode 100644
index 0000000000..2e642c7953
--- /dev/null
+++ b/changes/pathsel-BUGGY-a
@@ -0,0 +1,14 @@
+  o Security fixes:
+
+    - Try to leak less information about what relays a client is
+      choosing to a side-channel attacker.  Previously, a Tor client
+      would stop iterating through the list of available relays as
+      soon as it had chosen one, thus finishing a little earlier
+      when it picked a router earlier in the list.  If an attacker
+      can recover this timing information (nontrivial but not
+      proven to be impossible), they could learn some coarse-
+      grained information about which relays a client was picking
+      (middle nodes in particular are likelier to be affected than
+      exits).  The timing attack might be mitigated by other factors
+      (see bug #6537 for some discussion), but it's best not to
+      take chances.  Fixes bug 6537; bugfix on 0.0.8rc1.
diff --git a/changes/revert-geoip-may2012 b/changes/revert-geoip-may2012
new file mode 100644
index 0000000000..e420947a34
--- /dev/null
+++ b/changes/revert-geoip-may2012
@@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - Revert to the May 1 2012 Maxmind GeoLite Country database. In the
+      June 2012 database, Maxmind marked many Tor relays as country "A1",
+      which will cause risky behavior for clients that set EntryNodes
+      or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta.
+
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index d21b40c57d..30c20bf6e6 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -1674,6 +1674,8 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl,
   double *bandwidths;
   double tmp = 0;
   unsigned int i;
+  unsigned int i_chosen;
+  unsigned int i_has_been_chosen;
   int have_unknown = 0; /* true iff sl contains element not in consensus. */
 
   /* Can't choose exit and guard at same time */
@@ -1835,12 +1837,17 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl,
               * from 1 below. See bug 1203 for details. */
 
   /* Last, count through sl until we get to the element we picked */
+  i_chosen = (unsigned)smartlist_len(sl);
+  i_has_been_chosen = 0;
   tmp = 0.0;
   for (i=0; i < (unsigned)smartlist_len(sl); i++) {
     tmp += bandwidths[i];
-    if (tmp >= rand_bw)
-      break;
+    if (tmp >= rand_bw && !i_has_been_chosen) {
+      i_chosen = i;
+      i_has_been_chosen = 1;
+    }
   }
+  i = i_chosen;
 
   if (i == (unsigned)smartlist_len(sl)) {
     /* This was once possible due to round-off error, but shouldn't be able
@@ -1877,6 +1884,8 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule,
                               int statuses)
 {
   unsigned int i;
+  unsigned int i_chosen;
+  unsigned int i_has_been_chosen;
   routerinfo_t *router;
   routerstatus_t *status=NULL;
   int32_t *bandwidths;
@@ -2092,6 +2101,8 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule,
 
   /* Last, count through sl until we get to the element we picked */
   tmp = 0;
+  i_chosen = (unsigned)smartlist_len(sl);
+  i_has_been_chosen = 0;
   for (i=0; i < (unsigned)smartlist_len(sl); i++) {
     is_exit = bitarray_is_set(exit_bits, i);
     is_guard = bitarray_is_set(guard_bits, i);
@@ -2106,9 +2117,12 @@ smartlist_choose_by_bandwidth(smartlist_t *sl, bandwidth_weight_rule_t rule,
     else
       tmp += bandwidths[i];
 
-    if (tmp >= rand_bw)
-      break;
+    if (tmp >= rand_bw && !i_has_been_chosen) {
+      i_chosen = i;
+      i_has_been_chosen = 1;
+    }
   }
+  i = i_chosen;
   if (i == (unsigned)smartlist_len(sl)) {
     /* This was once possible due to round-off error, but shouldn't be able
      * to occur any longer. */
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 8c4f582c07..2ff546bb1d 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2821,7 +2821,7 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
     int flavor = networkstatus_parse_flavor_name(tok->args[1]);
     if (flavor < 0) {
       log_warn(LD_DIR, "Can't parse document with unknown flavor %s",
-               escaped(tok->args[2]));
+               escaped(tok->args[1]));
       goto err;
     }
     ns->flavor = flav = flavor;