From oss-security at $URL: Tor upstream has recently released v0.2.2.38 version, correcting three security flaws: 1) tor: Read from freed memory and double free by processing failed DNS request Upstream ticket: [1] https://trac.torproject.org/projects/tor/ticket/6480 Relevant patch: [2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c References: [3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html [4] https://bugzilla.novell.com/show_bug.cgi?id=776642 [5] https://bugzilla.redhat.com/show_bug.cgi?id=849949 2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name Upstream ticket: [6] https://trac.torproject.org/projects/tor/ticket/6530 Relevant patches: [7] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f [8] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546 References: [9] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html [10] https://bugzilla.novell.com/show_bug.cgi?id=776642 Note: No Red Hat bug (Fedora tor versions already updated && EPEL one not affected). 3) tor: Client's relays path information leak Upstream ticket: [11] https://trac.torproject.org/projects/tor/ticket/6537 Relevant patches: [12] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a [13] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b References: [14] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html [15] https://bugzilla.novell.com/show_bug.cgi?id=776642
@blueness, can 0.2.2.38 go to stable?
(In reply to comment #1) > @blueness, can 0.2.2.38 go to stable? Yes.
(In reply to comment #2) > (In reply to comment #1) > > @blueness, can 0.2.2.38 go to stable? > > Yes. Thank you. Arches, please test and mark stable: =net-misc/tor-0.2.2.38 Target keywords : "amd64 arm ppc ppc64 sparc x86"
x86 stable
amd64 stable
Stable arm ppc ppc64
sparc stable
Thanks, folks. GLSA Vote: yes.
CVE-2012-3519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519): routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, which might allow remote attackers to obtain sensitive information about relay selection via a timing side-channel attack. CVE-2012-3518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518): The networkstatus_parse_vote_from_string function in routerparse.c in Tor before 0.2.2.38 does not properly handle an invalid flavor name, which allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted (1) vote document or (2) consensus document. CVE-2012-3517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517): Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote attackers to cause a denial of service (daemon crash) via vectors related to failed DNS requests.
GLSA vote: yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201301-03 at http://security.gentoo.org/glsa/glsa-201301-03.xml by GLSA coordinator Sean Amoss (ackle).