Smashing Tor Bugs in 2022

Last year, your support of the Bug Smash Fund helped us solve 241 tickets related to Tor bugs and maintenance.

From smashing bugs related to anti-censorship features for censored users, resolving issues in Tor Browser, and conducting sysadmin maintenance, to squashing bugs on the network, resolving errors on metrics.torproject.org, and making documentation updates, you've powered the behind-the-scenes work that keeps Tor safe and strong.

If we assume each closed ticket required just 30 minutes of work to fix the bug, you made 120 hours (about one month) of Tor improvement work possible.

Today, we need your help to smash more bugs.

In 2022, we've been hard at work. Connection Assist in Tor Browser 11.5 has made it much easier for people to route around censorship against Tor. User support channels on Telegram, and in Russia, have expanded Tor access in places where its desperately needed. Onion service admins have received new DoS protections for their services. Congestion control has arrived in Tor Browser stable. Arti 0.5.0 has brought more stability to our Tor re-write in Rust. These improvements need maintenance over time—and keeping these tools running smoothly is just as critical as building new features.

This year, we must raise $75,000 to ensure we can smash Tor bugs and conduct needed maintenance.

Last year, the average Bug Smash Fund donor gave $60. Can you help keep Tor users safe from bugs and connected to the open internet with a donation of $60? Without Tor, many of our users would not have a safe option for getting online. Helping us smash bugs keeps Tor's most vulnerable users safe, like this user from Turkey:

What I can get with Tor, I could not get anywhere in [else] in Turkey: information, news, banned articles, and much more... I couldn't safely [use the] internet without Tor. - Anonymous Tor User

Every donation made to the Tor Project in the month of August will go towards the Bug Smash Fund.

Make your contribution today and keep Tor strong. Thank you!

2021 Bug Smash Results

Below we'll highlight areas of work—and related solved tickets—made possible with your support of the Bug Smash Fund.

👾 Bugs related to anti-censorship tools (23 tickets)

• Cannot build snowflake/proxy
• Snowflake server keeps failing unexpectedly
• "Snowflake is off. Could not connect to the bridge."
• Parsing a networkstatus-bridges with flags only causes BridgeDB to hang
• mix of past and present in snowflake proxy log
• It seems GetTor is not replying to emails
• Index error in BridgeDB HTTPS distributor
• BridgeDB doesn't like non-UTF8 encoded requests
• Request bridges from torproject.org gets stuck on "Contacting BridgeDB. Please wait."
• snowflake_server.httpHandler.ln is not initialized, leading to panic in oneshotMode
• Refactor BridgeDB's hashrings
• Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification
• Snowflake embed refuses to work on Chromium?
• 27330: Restore Twitter Private Message Service
• snowflake-webextension "Could not connect to the bridge."
• bridgedb verifyHostname doesn't check subjectAltName extension
• gettor not answering emails April 27
• Venezuela blocks access to the Tor network
• Why did bridgestrap's obfs4proxy terminate?
• Казахстан
• Avoid double delays from ReconnectTimeout
• Update bug-reporting links for gitlab
• Update bug-reporting links for gitlab

👾 Bugs related to metrics and network health (13 tickets)

• Issue with tar from polyanthum
• Exit list service stopped working
• Missing bandwidth data on the website
• Bridge distributor on the website is None for all bridges
• Missing bandwidth files every hour
• Unify relay-search's geoip with Tor's new ipfire geoip db?
• "AS" prefix missing from the as field in documents
• New overload-* lines in bridge descriptors causing descriptors to be discarded
• Add an ant task to update the GeoIP resources
• Possible for inconsistency between summary and details with AS number
• Out of memory when loading in multiple years of relay descriptors
• Indexer ignores a file after moving it away and back shortly after
• Find out why syncing descriptors from collector2.tp.o did not time out

👾 Bugs related to the Tor network (97 tickets)

• Use Gitlab CI with Bots for Code Quality and Technical Debt checks
• output debug logs to logcat as early as possible on Android
• circ: We can pick an active circuit that is marked for close
• Can't connect to literal IPv6 address containing double colon
• Load geoip and geoip6 files during the unit tests
• Sandbox 1 puts Tor relay with Tor 0.4.7.7 on Ubuntu 22.04 in restart loop
• show-distdir-core and friends should fail more quietly
• test_parseconf.sh: apparently not reliable on Appveyor
• Use tor_api.h entry points for ntmain.c
• Work out how to test mixed-version chutney networks in Tor's CI
• CI: Create AppVeyor build that uses 32-bits
• CI broken in 035/042/043/044 because of stem failure
• Chutney fails when Tor is built with --enable-nss
• Chutney fails (sometimes?) when tor is built with --enable-coverage
• Bug: buffers_tls.c:73: buf_read_from_tls: Non-fatal assertion !(buf->datalen >= INT_MAX - at_most) failed.
• an number should not be formatted with decimals
• Got a PADDING_NEGOTIATE from relay at xxx. This should not happen.
• module thinko in src/lib/crypt_ops/crypto_rand.c
• Non-exit relay appears to work, but reachability self-test is failing and descriptor is not being published (tor 0.4.6.9).
• configure detects wrong openssl version
• tor_tls_finish_handshake warning spamming logs during relay operation
• Libressl 3.2.1 with compatibility issues to Tor relays
• ratelim.h:55:27: error: initializer element is not constant
• Rejected v3 hidden service descriptor with Tor 0.4.5.7
• Potential consensus divergence from Ed25519 edge cases
• Don't set router is_running=false after intentionally closing a directory connection
• "Padding negotiated cell from wrong hop" messages on re-extended intro circs
• Delaying hostname send in SOCKS5 CONNECT command causes failure in hostname resolution
• Android: FAIL src/test/test_address_set.c:80: assert(ret OP_EQ 1): 0 vs 1
• Bridges without geoip file report empty statistics
• "GETINFO config-text" adds spurious DataDirectory, Log entries
• ControlPort GETCONF does not recognize command aliases
• Tor Windows service should be installed with the NetworkService account
• junk log messages every time SETCONF changes the set of ORPorts
• Tor uses Roaming (remote) %APPDATA% instead of %LOCALAPPDATA%
• Tor log dates imprecise
• Received extra server info (size 0)
• GETCONF provides incorrect value when undefined
• Fallback to resolving localhost when interface searches fail
• Tor would bind ControlPort to public ip address if it has no localhost interface
• Directory Authorities should test reachability of relays in their family
• Jenkins Windows builders are currently broken
• Coverage flapping in hs_get_responsible_hsdirs()
• Remove ping ::1 from tor's test-network-all and simplify the logic
• Some of our tests require internet connectivity / an IPv4 stack
• nondeterministic coverage of dirvote.c and shared_random.c
• rust protover_all_supported() accepts too-long protocol names
• rust protover doesn't canonicalize adjacent and overlapping ranges
• Examples in CodingStandardsRust.md are wrong
• protover doesn't forbid version zero
• handling double spaces in protover
• disparate duplicate subproto handling in protover
• Check uses of CMP_SEMANTIC for IP addresses
• Handle extreme values better in add_laplace_noise()
• sample_laplace_distribution() should take multiple random inputs
• rep_hist_format_hs_stats() should add noise, then round
• sample_laplace_distribution should produce a valid result on 0.0
• Fix extra-info flags on fallbacks
• Do we need to chown AF_UNIX sockets?
• Use a better pattern for "create mutex if not already initialized"
• circuit_handle_first_hop assumes all one-hop circuits are directory circuits
• clear_status_flags_on_sybil might want to clear more flags
• compute_weighted_bandwidths() broken for dirauths
• connection_mark_unattachedap: checking always true edge_has_sent_end
• Directory Authorities can crash client/relay by scrambling microdesc assignments
• Relays don't actually notice bandwidth changes for a day
• zlib compression bomb warning in notices.log on a middle relay
• Bug - Heartbeat log message does not consider the value of the "HeartbeatPeriod" value.
• Leaksanitizer detected memory leak with Tor Tor 0.4.6.1-alpha-dev (git-769d54c5d7933ccb)
• Cannot SAVECONF when the seccomp sandbox is enabled
• Assertion when starting an IPv4-only bridge on 0.4.5.2-alpha
• Windows 32-bit build broken with introduction of overload_happened_recently() in rephist.c
• Bug: 2-hop circuit with purpose 5 has no guard state
• Find a working alternative to using MaxMind's GeoLite2 databases
• "tor-gencert --create-identity-key" fails with no clear error message if passphrase is empty or short
• Debian Hardened CI failures due to lack of ptrace
• "Closing no-longer-configured OR listener" does not put brackets around IPv6 addresses
• Non-fatal assertion !(smartlist_len(outdated_dirserver_list) > TOO_MANY_OUTDATED_DIRSERVERS)
• Fix issue when using FALLTHROUGH with ALL_BUGS_ARE_FATAL
• configure summary misleadingly indicates library support based on enable, not have
• ExitNodes not respected on all websites
• v3 onion services require a "live" consensus to publish or fetch
• Tor 0.4.4.5 and Microsoft Windows 10.0.19041.572 - permanent 100 % load of all cores of Intel Core i7-3770K
• Tor generates invalid address for hiddenservice when running on armv5tel architectures (from Debian)
• Inbuf for outgoing SOCKS 4 proxy not cleared before reading from OR connection
• Travis chutney tests are borked by two bad commits
• Nightly Windows build failures on both 32-bit and 64-bit
• BUG warning in connection_ap_attach_pending: waiting for rendezvous desc :*
• Static linking issue with OpenSSL
• Bug: connection_edge_send_command failed while sending a SENDME. Circuit probably closed, skipping. at 0.4.5.0-alpha-dev 228ac47c2cc2625e)
• Controller circuits don't pass the SOCKS request address in relay begin cells
• Stop forcing IPv4 and IPv6 traffic on non-SOCKSPorts
• Bug: Bridge obfs4 0.4.5.0-alpha-dev rebuilding descriptor (source: METHOD=NONE) | Don't know my address while generating descriptor
• V3 handshaking state change doesn't use "connection_or_change_state()"
• Build failure on macOS on master
• tracing-instrumentation-lttng doesn't build: 'core/or/lttng_circuit.inc' file not found
• tracing-instrumentation-usdt fails to build: error: use of undeclared identifier 'tor_circuit'
• kist: Poor performance with a small amount of sockets
• Use stale bot to close old pull requests
• log messages are doubled and unclear
• v0.4.1.6 bug journalctl failed assertion
• Remove 0.2.9 from the jenkins builders
• Circpad padding timer flag is not properly reset
• control: HSFETCH command fails to validate v2 addresses
• Confusing "Your relay has a very large number of connections to other relays" relay message
• Backport the diagnostic logs for is_possible_guard crash
• NSS needs to be told that its sockets are nonblocking
• Bug: Tor 0.4.4.3-alpha: Assertion new_conn failed in retry_all_listeners at src/core/mainloop/connection.c:3047
• Parallelize several tests to make hardened-build CI faster.
• Incorrect key ID type used in some ed25519 certificates
• Mixing long lived streams with shorter connections causes hidden tor service name (.onion) resolution/routing failures
• Onion service rendezvous cell statistics don't count client->service traffic.
• tor stops boostrapping on Android
• Remove AppVeyor VS2015 build
• rend_cache/clean_v2_descs_as_dir fails when run on its own
• update .gitlab-ci.yml to remove broken cruft and add a complete test suite
• HSv2 regression: Not possible to add HidServAuth line using SETCONF without restart

👾 Bugs releated to Tor applications (44 tickets)

• Have tor operate on different ports by default for alpha, release and nightly Tor Browser builds
• Create build-specific installer for macOS
• Write up comprehensive advice to "Tor unexpectedly exited", and link to it from inside Tor Browser
• Create unit test in wine to validate widl's output when building IA2Accessible interfaces
• Refresh Mozilla's OpenPGP signing key
• Saved Logins not available in 10.5
• Change Fenix variant to Release
• Remove unused gombile project
• Temporary gpg signature verification scripts are not removed
• Update components for switch to mozilla90-based Fenix
• Check the glean_parser version needed by application-services
• Add script to check for needed toolchain updates to build Firefox for Linux, Windows and macOS
• Rename "New Identity"
• Torbutton prevents PKCS#12 import/export
• Onion alias url rewrite is broken
• Add script to check for needed toolchain updates to build Firefox for macOS
• Add script to check for needed toolchain updates to build Firefox for Windows
• Creating containers for android builds is failing
• Make the list of components updates for switch to mozilla90-based Fenix
• Enable NoScript's unrestricted CSS capability?
• tor-browser-10.5a16-android-armv7-multi.apk
• Change branch name for anti-censorship projects
• Tor Browser without Tor
• Change link on 'Get involved' in about:tor to new community portal
• web.whatsapp.com
• Document first party isolation for Tor researchers
• Oreo adaptive icon shape
• Tor Browser (and Firefox) clobber my clipboard when I return to the window in certain ways
• snowflake's 0.0.3.0 dummy address means rate limits are skipped means BW controller events show no bandwidth used
• Using ExitNodes with bridges make ExitNodes ignored without warning messages. Comment from other cypherpunks: cant reproduce
• Update font whitelists to reflect any changed Firefox default fonts
• Saving images in Tor Browser on Android does not work
• "Torbutton WARN: Version check failed!" should disappear if extensions.torbutton.use_nontor_proxy is true
• Enable Fuzzyfox
• Firefox is insecure, it can't used with Tor
• Skip German exits when using Youtube
• Tor Browser Help menu item goes to mozilla support page
• Rate limit gyroscope sampling frequency on FF mobile
• Avoid using intl.locale.requested pref directly
• system locale in rss view
• New Fennec onboarding and activitystream conflicts
• Proposal to drop Tor Browser's plugin patches
• Expand list of targets more efficiently
• Disable TLS 1.0 (and 1.1) by default

📝 Documentation projects and updates (35 tickets)

• New link needed about Entry guards in Managing Identities
• Tor logo should link to homepage
• Horizontal overflow on download page - https://sedvblmbog.tudasnich.de/download
• restore icons
• tb-manual: create redirects for old resources
• Remove jinja template escaping from "Become a Member" section
• Rename the master branch to main
• Archive git.torproject.org/project/web/styleguide and migrate to gitlab
• lektor portals: Titles should not be capitalized in the CSS
• styleguide.torproject.org: migrate from Jenkins to GitLab CI
• Many internal links are written as external
• Instructions for verifying tor source download
• Incomplete Content-Security-Policy blocks video on "Set up Relays" page
• Tor security policy
• add checksums to download page; make checksum vs. sig file purpose much clearer
• Find a more maintainable approach for the signing-keys page
• On the new download page, the signature and the (?) link are not perceived as different
• Update torproject.org and git.torproject.org onion service link to v3 in README.md
• Update Tor Browser Manual with the extensions.torlauncher.socks_port_flags config
• Should we move anonbib to the Tor website?
• Replace torflow by sbws in volunteer page
• tb-manual: sidebar does not move to the other side when on ltr languages
• Create a 404 template for our websites
• tb-manual: add alt attributes to the images for accessibility
• Something in the jenkins setup is reverting the website to an older version
• Links to Android downloads are broken
• Download link broken: Windows Expert Bundle
• Ask tor.ccc.de to update their certifcate

🛠️ System & service administration projects (3 tickets)

• Please delete builders/tor-browser-build branch snowflake_android
• ZNC on chives was down Jul 04 06:38:23 through Jul 05 17:47:50
• jerks using our mailman to spam people