Commit 77358351 authored by Tails developers's avatar Tails developers

Merge branch 'stable'

parents 3a6ae8e1 50c81b42
......@@ -65,7 +65,7 @@ chmod -R go+rX config/chroot_sources
# build the image
: ${MKSQUASHFS_OPTIONS:='-comp xz'}
: ${MKSQUASHFS_OPTIONS:='-comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K'}
MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -wildcards -ef chroot/usr/share/amnesia/build/mksquashfs-excludes"
export MKSQUASHFS_OPTIONS
......
......@@ -35,7 +35,7 @@ $RUN_LB_CONFIG \
--memtest none \
--packages-lists="standard" \
--tasks="standard" \
--linux-packages="linux-image-3.14-1" \
--linux-packages="linux-image-3.14-2" \
--syslinux-menu vesamenu \
--syslinux-splash data/splash.png \
--syslinux-timeout 4 \
......
......@@ -43,11 +43,13 @@ cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{,.}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{.,}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes purge dpkg-dev make # dpkg-dev depends on make
This diff is collapsed.
......@@ -114,19 +114,19 @@ Package: linux-headers-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-common
Package: linux-headers-3.14-2-common
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-486
Package: linux-headers-3.14-2-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-686-pae
Package: linux-headers-3.14-2-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-amd64
Package: linux-headers-3.14-2-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......@@ -142,15 +142,15 @@ Package: linux-image-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-486
Package: linux-image-3.14-2-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-686-pae
Package: linux-image-3.14-2-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-amd64
Package: linux-image-3.14-2-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......
......@@ -30,6 +30,7 @@ sed -i 's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).
# * HiddenMode: Enabled
# * In-I2P Network Updates: Disabled
# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
# * Disable I2P plugins
cat > "$I2P/router.config" << EOF
# NOTE: This I2P config file must use UTF-8 encoding
i2cp.disableInterface=true
......@@ -38,4 +39,9 @@ i2np.ntcp.autoip=false
i2np.udp.ipv6=false
router.isHidden=true
router.updateDisabled=true
router.enablePlugins=false
EOF
cat > "$I2P/susimail.config" << EOF
susimail.pop3.leave.on.server=true
EOF
#!/bin/sh
set -u
set -e
# Everything moved by this hook script will be reversed in the event that
# the string "i2p" is entered at a boot prompt
DEST="/usr/share/tails/i2p-disabled"
[ -d "/usr/share/i2p" ] || return 0
mkdir "$DEST"
mv -f /usr/share/i2p "$DEST"
mv -f /usr/sbin/wrapper "$DEST"
mv -f /usr/share/applications/i2p.desktop "$DEST"
......@@ -3,6 +3,11 @@
# Configuration file for ferm(1).
#
# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
# only be enabled if the string "i2p" is entered at the boot prompt.
# Deny or reject rules affecting "i2psvc" will always be set.
def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
# IPv4
domain ip {
table filter {
......@@ -62,6 +67,11 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
daddr 127.0.0.1 proto udp dport 5353 {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to ttdnsd
daddr 127.0.0.2 proto udp dport 53 {
mod owner uid-owner amnesia ACCEPT;
......@@ -76,12 +86,24 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to I2P
# White-list access to I2P services for both the amnesia user (client) and i2psvc (server)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (2827 4444 4445 6668 7656 7657 7658 7659 7660 8998) {
mod owner uid-owner amnesia ACCEPT;
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 4445 6668 7656 7657 7658 7659 7660 8998) {
@if $use_i2p mod owner uid-owner amnesia ACCEPT;
}
# Whitelist access to I2P services for the i2psvc user,
# otherwise mail and eepsite hosting won't work.
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to the java wrapper's (used by I2P) control ports
# (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
# If, for example, port 31000 is in use, it'll try the next one in sequence.
daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to CUPS
daddr 127.0.0.1 proto tcp syn dport 631 {
......@@ -104,19 +126,22 @@ domain ip {
}
# Local network connections should not go through Tor but DNS shall be
# rejected.
# rejected. I2P is explicitly blocked from communicating with the LAN.
# (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
proto tcp dport domain REJECT;
proto udp dport domain REJECT;
mod owner uid-owner i2psvc REJECT;
ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor ACCEPT;
# i2p is allowed to do anything it wants to.
mod owner uid-owner i2psvc ACCEPT;
# i2p is allowed to do anything it wants to on the internet.
outerface ! lo mod owner uid-owner i2psvc {
@if $use_i2p proto (tcp udp) ACCEPT;
}
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
......
......@@ -73,6 +73,7 @@ pref("dom.enable_performance", false);
pref("plugin.expose_full_path", false);
pref("browser.zoom.siteSpecific", false);
pref("intl.charset.default", "windows-1252");
pref("browser.link.open_newwindow.restriction", 0); // Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
// pref("intl.accept_languages", "en-us, en"); // Set by Torbutton
// pref("intl.accept_charsets", "iso-8859-1,*,utf-8"); // Set by Torbutton
// pref("intl.charsetmenu.browser.cache", "UTF-8"); // Set by Torbutton
......
#!/bin/sh
# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
# when the string "i2p" is added to the boot prompt.
SRC="/usr/share/tails/i2p-disabled"
Install_I2P(){
mv "$SRC/wrapper" /usr/sbin/wrapper
mv "$SRC/i2p.desktop" /usr/share/applications
mv "$SRC/i2p" /usr/share
rmdir "$SRC"
}
Add_Sudo_Config(){
echo "amnesia ALL = NOPASSWD: /etc/init.d/i2p" > /etc/sudoers.d/zzz_i2p
chown root:root /etc/sudoers.d/zzz_i2p
chmod 0440 /etc/sudoers.d/zzz_i2p
}
if grep -qw "i2p" /proc/cmdline && [ -d "$SRC" ]; then
Install_I2P
Add_Sudo_Config
fi
......@@ -184,7 +184,7 @@ sub is_not_fixed {
my $entry = shift;
assert_isa($entry, 'XML::Atom::Entry');
! grep { 'security/fixed' } categories($entry);
! grep { $_ eq 'security/fixed' } categories($entry);
}
=head2 unfixed_entries
......
......@@ -77,6 +77,7 @@ audacity
barry-util
bilibop-udev
cups
cups-pk-helper
cryptsetup
rsync
bash-completion
......@@ -117,6 +118,7 @@ gnome-system-monitor
gnome-terminal
gnome-themes
gnome-themes-standard
gnome-user-guide
gnupg-agent
gnupg-curl
gobi-loader
......@@ -402,3 +404,5 @@ wireless-regdb
python-serial
i2p
# Prevent java 6 from being installed
openjdk-7-jre
diff -Naur orig/etc/dhcp/dhclient.conf new/etc/dhcp/dhclient.conf
--- orig/etc/dhcp/dhclient.conf 2014-07-31 22:31:11.363605131 +0200
+++ new/etc/dhcp/dhclient.conf 2014-07-31 22:31:43.535349519 +0200
@@ -14,7 +14,8 @@
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
#send host-name "andare.fugue.com";
-send host-name = gethostname();
+#send host-name = gethostname();
+supersede host-name "amnesia";
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
diff -Naur orig/etc/NetworkManager/NetworkManager.conf new/etc/NetworkManager/NetworkManager.conf
--- orig/etc/NetworkManager/NetworkManager.conf 2014-07-31 22:31:19.347541763 +0200
+++ new/etc/NetworkManager/NetworkManager.conf 2014-07-31 22:31:58.823227808 +0200
@@ -1,5 +1,8 @@
[main]
-plugins=ifupdown,keyfile
+plugins=keyfile
[ifupdown]
managed=false
+
+[ipv4]
+dhcp-send-hostname=false
This diff is collapsed.
tails (1.1.1) UNRELEASED; urgency=medium
tails (1.1.1) unstable; urgency=medium
* Dummy entry for next release.
* Security fixes
- Upgrade the web browser to 24.8.0esr-0+tails1~bpo70+1
(Firefox 24.8.0esr + Iceweasel patches + Torbrowser patches).
Also import the Tor Browser profile at commit
271b64b889e5c549196c3ee91c888de88148560f from
ttp/tor-browser-24.8.0esr-3.x-1.
- Upgrade Tor to 0.2.4.23-2~d70.wheezy+1 (fixes CVE-2014-5117).
- Upgrade I2P to 0.9.14.1-1~deb7u+1.
- Upgrade Linux to 3.14.15-2 (fixes CVE-2014-3534, CVE-2014-4667
and CVE-2014-4943).
- Upgrade CUPS-based packages to 1.5.3-5+deb7u4 (fixes
CVE-2014-3537, CVE-2014-5029, CVE-2014-5030 and CVE-2014-5031).
- Upgrade libnss3 to 2:3.14.5-1+deb7u1 (fixes CVE-2013-1741,
CVE-2013-5606, CVE-2014-1491 and CVE-2014-1492).
- Upgrade openssl to 1.0.1e-2+deb7u12 (fixes CVE-2014-3505,
CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,
CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and CVE-2014-5139).
- Upgrade krb5-based packages to 1.10.1+dfsg-5+deb7u2 (fixes
CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344 and
CVE-2014-4345).
- Upgrade libav-based packages to 6:0.8.15-1 (fixes CVE-2011-3934,
CVE-2011-3935, CVE-2011-3946, CVE-2013-0848, CVE-2013-0851,
CVE-2013-0852, CVE-2013-0860, CVE-2013-0868, CVE-2013-3672,
CVE-2013-3674 and CVE-2014-2263.
- Upgrade libgpgme11 to 1.2.0-1.4+deb7u1 (fixes CVE-2014-5117).
- Upgrade python-imaging to 1.1.7-4+deb7u1 (fixes CVE-2014-3589).
- Prevent dhclient from sending the hostname over the network
(Closes: #7688).
- Override the hostname provided by the DHCP server (Closes: #7769).
- Add an I2P boot parameter. Without adding "i2p" to the kernel
command line, I2P will not be accessible for the Live user.
- Stricter I2P firewall rules:
* deny I2P from accessing the LAN
* deny I2P from accessing the loopback device, except for select
whitelisted services
* allow I2P access to the Internet
The ACCEPT rules will only be enabled when the string 'i2p' is
passed at the boot prompt. The rules which DENY or REJECT
access for the 'i2psvc' user will always be applied.
- Disable I2P plugins, since it doesn't make much sense without
persistence, and should eliminate some attack vectors.
- Disable I2P's BOB port. No maintained I2P application uses it.
-- Tails developers <tails@boum.org> Wed, 23 Jul 2014 00:49:19 +0200
* Bugfixes
- Fix condition clause in tails-security-check (Closes: #7657).
- Don't ship OpenJDK 6: I2P prefers v7, and we don't need both.
- Prevent Tails Installer from updating the system partition
properties on MBR partitions (Closes: #7716).
* Minor improvements
- Upgrade to Torbutton 1.6.12.1.
- Install gnome-user-guide (Closes: #7618).
- Install cups-pk-helper (Closes: #7636).
- Update the SquashFS sort file.
- Compress the SquashFS more aggressively (Closes: #7706).
- I2P: Keep POP3 email on server. The default in the I2P webmail
app was to keep mail on the server, but that setting was changed
recently. This configuration setting (susimail.config) will only
be copied over in I2P 0.9.14 and newer.
- Add a Close button to the Tails Installer launcher window.
* Build system
- Migrate Vagrant basebox to Debian Wheezy (Closes #7133, #6736).
- Consistently use the same Debian mirror.
- Disable runtime APT proxy configuration when using APT in
binary_local-hooks (Closes: #7691).
* Automated test suite
- Automatically test hostname leaks (Closes: #7712).
- Move autotest live-config hook to be run last. This way we'll
notice if some earlier live-config hook cancels all hooks by
running the automated test suite since the remote shell won't be
running in that case.
- Test that the I2P boot parameter does what it's supposed to do
(Closes: #7760).
- Start applications by using the GNOME Applications menu instead
of the GNOME Run Dialog (Closes: #5550, #7060).
-- Tails developers <tails@boum.org> Sun, 31 Aug 2014 20:49:28 +0000
tails (1.1) unstable; urgency=medium
......
......@@ -28,8 +28,7 @@ Feature: Installing packages through APT
And all Internet traffic has only flowed through Tor
Scenario: Install packages using Synaptic
When I run "gksu synaptic"
And I enter the sudo password in the gksu prompt
When I start Synaptic
And I update APT using Synaptic
Then I should be able to install a package using Synaptic
And all Internet traffic has only flowed through Tor
@product
Feature: Getting a DHCP lease without leaking too much information
As a Tails user
when I connect to a network with a DHCP server
I should be able to connect to the Internet
and the hostname should not have been leaked on the network.
Scenario: Getting a DHCP lease with the default NetworkManager connection
Given a computer
And I capture all network traffic
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
Then the hostname should not have been leaked on the network
Scenario: Getting a DHCP lease with a manually configured NetworkManager connection
Given a computer
And I capture all network traffic
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
And I add a wired DHCP NetworkManager connection called "manually-added-con"
And I switch to the "manually-added-con" NetworkManager connection
Then the hostname should not have been leaked on the network
......@@ -16,8 +16,7 @@ Feature:
And I save the state so the background can be restored next scenario
Scenario: Detecting IPv4 TCP leaks from the Unsafe Browser
When I start the Unsafe Browser
And the Unsafe Browser has started
When I successfully start the Unsafe Browser
And I open the address "https://check.torproject.org" in the Unsafe Browser
And I see "UnsafeBrowserTorCheckFail.png" after at most 60 seconds
Then the firewall leak detector has detected IPv4 TCP leaks
......
@product
Feature: I2P
As a Tails user
I *might* want to use I2P
Scenario: I2P is disabled by default
Given a computer
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
Then the I2P desktop file is not present
And the I2P sudo rules are not present
And the I2P firewall rules are disabled
Scenario: I2P is enabled when the "i2p" boot parameter is added
Given a computer
And I set Tails to boot with options "i2p"
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
Then the I2P desktop file is present
And the I2P sudo rules are enabled
And the I2P firewall rules are enabled
When I start I2P through the GNOME menu
Then I see "I2P_starting_notification.png" after at most 60 seconds
And I see "I2P_router_console.png" after at most 60 seconds
......@@ -69,3 +69,12 @@ Then /^I should be able to install a package using Synaptic$/ do
@screen.wait('SynapticChangesAppliedPrompt.png', 120)
step "package \"#{package}\" is installed"
end
When /^I start Synaptic$/ do
next if @skip_steps_while_restoring_background
@screen.wait_and_click("GnomeApplicationsMenu.png", 10)
@screen.wait_and_click("GnomeApplicationsSystem.png", 10)
@screen.wait_and_click("GnomeApplicationsAdministration.png", 10)
@screen.wait_and_click("GnomeApplicationsSynaptic.png", 20)
deal_with_polkit_prompt('SynapticPolicyKitAuthPrompt.png', @sudo_password)
end
......@@ -60,15 +60,6 @@ def restore_background
end
end
def run_dialog_picture
case @theme
when "windows"
return 'WindowsRunDialog.png'
else
return 'GnomeRunDialog.png'
end
end
Given /^a computer$/ do
@vm.destroy if @vm
@vm = VM.new($vm_xml_path, $x_display)
......@@ -336,20 +327,6 @@ Then /^all Internet traffic has only flowed through Tor$/ do
end
end
When /^I open the GNOME run dialog$/ do
next if @skip_steps_while_restoring_background
@screen.type(Sikuli::Key.F2, Sikuli::KeyModifier.ALT)
@screen.wait(run_dialog_picture, 10)
end
When /^I run "([^"]*)"$/ do |program|
next if @skip_steps_while_restoring_background
step "I open the GNOME run dialog"
@screen.type(program)
sleep 0.5
@screen.type(Sikuli::Key.ENTER)
end
Given /^I enter the sudo password in the gksu prompt$/ do
next if @skip_steps_while_restoring_background
@screen.wait('GksuAuthPrompt.png', 60)
......@@ -359,18 +336,22 @@ Given /^I enter the sudo password in the gksu prompt$/ do
@screen.waitVanish('GksuAuthPrompt.png', 10)
end
Given /^I enter the sudo password in the PolicyKit prompt$/ do
Given /^I enter the sudo password in the pkexec prompt$/ do
next if @skip_steps_while_restoring_background
step "I enter the \"#{@sudo_password}\" password in the PolicyKit prompt"
step "I enter the \"#{@sudo_password}\" password in the pkexec prompt"
end
Given /^I enter the "([^"]*)" password in the PolicyKit prompt$/ do |password|
next if @skip_steps_while_restoring_background
@screen.wait('PolicyKitAuthPrompt.png', 60)
def deal_with_polkit_prompt (image, password)
@screen.wait(image, 60)
sleep 1 # wait for weird fade-in to unblock the "Ok" button
@screen.type(password)
@screen.type(Sikuli::Key.ENTER)
@screen.waitVanish('PolicyKitAuthPrompt.png', 10)
@screen.waitVanish(image, 10)
end