Bug 250018 (CVE-2008-5397)

Summary:	net-misc/tor < 2.0.32 Does not drop privileges (CVE-2008-{5397,5398})
Product:	Gentoo Security	Reporter:	Matti Bickel (RETIRED) <mabi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fauli, humpback, svrmarty
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---

Description Matti Bickel (RETIRED) gentoo-dev

2008-12-06 11:12:33 UTC

From secunia:
1) The application does not properly drop privileges to the primary
groups of the user specified via the "User" parameter. This may
result in the tor process running with higher privileges than
intended.

Note: This may affect UNIX like operating systems only.

2) The "ClientDNSRejectInternalAddresses" configuration option is not
always enforced, which weakens the security and could open a vector
for further attacks.

SOLUTION:
Update to version 0.2.0.32.
https://www.torproject.org/download.html

PROVIDED AND/OR DISCOVERED BY:
1) Theo de Raadt
2) rovv

ORIGINAL ADVISORY:
http://blog.torproject.org/blog/tor-0.2.0.32-released

Comment 1 Matti Bickel (RETIRED) gentoo-dev

2008-12-06 11:13:38 UTC

Please provide the newest ebuild..

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2008-12-06 12:31:05 UTC

New version is in the tree, thanks mabi.  Arches please stabilise

net-misc/tor-0.2.0.32
target KEYWORDS are: amd64 ppc ppc64 sparc x86 ~x86-fbsd

Sparc, please check if bug 246483 is still relevant.  I removed the patch from 0.2.0.31 as upstream mentions the bug in its ChangeLog.

security team, I could not find a CVE assigned.

Comment 3 Richard Freeman gentoo-dev

2008-12-07 15:08:20 UTC

amd64 stable

Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev

2008-12-07 15:32:06 UTC

ppc stable

Comment 5 Markus Meier gentoo-dev

2008-12-08 18:47:38 UTC

x86 stable

Comment 6 Brent Baude (RETIRED) gentoo-dev

2008-12-08 19:40:12 UTC

ppc64 stable

Comment 7 Friedrich Oslage (RETIRED) gentoo-dev

2008-12-09 19:56:34 UTC

sparc stable

(In reply to comment #2)
> Sparc, please check if bug 246483 is still relevant.  I removed the patch from
> 0.2.0.31 as upstream mentions the bug in its ChangeLog.

All good

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2008-12-09 22:38:23 UTC

Ready for vote, I vote YES.

Comment 9 Stefan Behte (RETIRED) gentoo-dev

2008-12-10 10:23:47 UTC

Handling CVE-2008-5398 also here, because the same versions are affected and this bug fixes CVE-2008-5398, too.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2008-12-10 10:25:11 UTC

CVE-2008-5397:
Tor before 0.2.0.32 does not properly process the (1) User and (2) Group configuration options, which might allow local users to gain privileges by leveraging unintended supplementary group memberships of the Tor process. 

CVE-2008-5398:
Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddresses configuration option in situations where an exit relay issues a policy-based refusal of a stream, which allows remote exit relays to have an unknown impact by mapping an internal IP address to the destination hostname of a refused stream.

Comment 11 Stefan Behte (RETIRED) gentoo-dev

2009-01-11 18:54:21 UTC

Yes, too. Request filed.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2009-02-08 22:29:41 UTC

(In reply to comment #11)
> Yes, too. Request filed.

 Can I help to prepare the GLSA?  Or what is the status?

Comment 13 Alex Legler (RETIRED) archtester

2009-02-08 22:34:27 UTC

(In reply to comment #12)
> (In reply to comment #11)
> > Yes, too. Request filed.
> 
>  Can I help to prepare the GLSA?  Or what is the status?
> 

Just the request currently, a draft would be highly appreciated. :/

Comment 14 svrmarty 2009-02-15 13:21:07 UTC

higher version needed,

see bug #258833

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2009-04-08 22:49:23 UTC

GLSA 200904-11