Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631642 (CVE-2017-0380, TROVE-2017-008)

Summary: <net-vpn/tor-0.3.1.7: Information leak vulnerability
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, kensington, tsmksubc
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://trac.torproject.org/projects/tor/ticket/23490
Whiteboard: B4 [noglsa cve]
Package list:
net-vpn/tor-0.3.1.7 app-arch/zstd-1.1.3 arm ppc ppc64
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-21 14:33:45 UTC
[TROVE-2017-008.  CVE-2017-0380. Severity: medium]

Hello!

  We have found a possible problem with the code that reports an error
  during the construction of an introduction point circuit.  Because
  of this bug, it is possible that some hidden services will sometimes
  write sensitive information into their logs.

  This bug can only happen when the SafeLogging option is disabled,
  and SafeLogging is enabled by default.  If you have not disabled
  SafeLogging, then you should be fine.

  We are tracking this bug as TROVE-2017-008 and as ticket #23490. It
  is also CVE-2017-0380.


MITIGATION:

   1. If you are not running a hidden service, then you don't need
      to do anything.  This bug does not affect you.

   2. If you are running 0.2.5.x, this bug does not affect you: it
      first appeared in 0.2.7.2-alpha.  Other bugs do affect you,
      though: 0.2.5.x is pretty old!

      (If you are running 0.2.4, or 0.2.6, or 0.2.7, you should just
      upgrade. We aren't supporting those releases.)

   3. Make sure that you did not change the value of the SafeLogging
      option in your configuration -- or if you did, that you set it
      to "1".  SafeLogging needs to be turned to "0" or "relay" for
      this bug to occur.

   4. If you did disable SafeLogging, re-enable it: Set it to 1, and
      use a HUP signal to tell Tor to reload its configuration.

   5. If you did disable SafeLogging, you should delete any old logs
      that were generated with SafeLogging disabled.

      (You should be regularly removing old logs anyway, as a best
      security practice.)


ACKNOWLEDGMENTS:

    We found this when we re-added scan-build's dead assignment
    checker into the checkers that we run on Tor.  Obviously, it's
    time to make sure that scan-build gets run more frequently.

FIX:

    There are patches for this issue linked from ticket #23490 on
    our bugtracker.

    I will be putting out updated releases today.  This bug will be
    fixed in 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7, and
    0.3.2.1-alpha.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-21 14:34:31 UTC
@blueness: thanks for the report on this security vulnerability, please call for stabilization when appropriate.
Comment 2 Anthony Basile gentoo-dev 2017-09-21 14:37:11 UTC
@arch teams KEYWORDS="amd64 arm ppc ppc64 x86"
Comment 3 Stabilization helper bot gentoo-dev 2017-09-21 15:00:46 UTC
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']
Comment 4 Anthony Basile gentoo-dev 2017-10-01 12:27:57 UTC
(In reply to Stabilization helper bot from comment #3)
> An automated check of this bug failed - repoman reported dependency errors
> (29 lines truncated): 
> 
> > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']


I don't understand this.  I just did `repoman full` and only got the following:

RepoMan scours the neighborhood...
  KEYWORDS.dropped              3
   net-vpn/tor/tor-0.3.1.6_rc.ebuild: sparc
   net-vpn/tor/tor-0.3.1.7.ebuild: sparc
   net-vpn/tor/tor-0.3.2.1_alpha.ebuild: sparc


Does someone know what's going on?
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-03 00:42:54 UTC
x86 stable
Comment 6 Stabilization helper bot gentoo-dev 2017-10-03 01:03:32 UTC
An automated check of this bug failed - repoman reported dependency errors (29 lines truncated): 

> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']
Comment 7 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-10-15 22:28:04 UTC
Stable on amd64
Comment 8 Stabilization helper bot gentoo-dev 2017-10-15 23:03:25 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
Comment 9 Markus Meier gentoo-dev 2017-10-17 19:03:20 UTC
arm stable
Comment 10 Stabilization helper bot gentoo-dev 2017-10-17 20:01:57 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
Comment 11 Stabilization helper bot gentoo-dev 2017-10-19 13:14:59 UTC
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated): 

> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
Comment 12 Michael Palimaka (kensington) gentoo-dev 2017-10-19 13:18:49 UTC
(In reply to Anthony Basile from comment #4)
> (In reply to Stabilization helper bot from comment #3)
> > An automated check of this bug failed - repoman reported dependency errors
> > (29 lines truncated): 
> > 
> > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']
> 
> 
> I don't understand this.  I just did `repoman full` and only got the
> following:
> 
> RepoMan scours the neighborhood...
>   KEYWORDS.dropped              3
>    net-vpn/tor/tor-0.3.1.6_rc.ebuild: sparc
>    net-vpn/tor/tor-0.3.1.7.ebuild: sparc
>    net-vpn/tor/tor-0.3.2.1_alpha.ebuild: sparc
> 
> 
> Does someone know what's going on?

It failed because of an incomplete package list, that's all. Maybe you had app-arch/zstd keyworded in your local tree still but forgot to add here.
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 22:41:09 UTC
ppc stable. fails single backtrace test
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 22:54:02 UTC
ppc64 stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-10-29 19:03:55 UTC
GLSA Vote: No

Maintainer, please clean the vulnerable versions.
Comment 16 Anthony Basile gentoo-dev 2017-11-24 12:57:56 UTC
(In reply to Aaron Bauman from comment #15)
> GLSA Vote: No
> 
> Maintainer, please clean the vulnerable versions.

okay done