| Summary: | <net-vpn/tor-0.3.1.7: Information leak vulnerability | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | blueness, kensington, tsmksubc |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://trac.torproject.org/projects/tor/ticket/23490 | ||
| Whiteboard: | B4 [noglsa cve] | ||
| Package list: |
net-vpn/tor-0.3.1.7
app-arch/zstd-1.1.3 arm ppc ppc64
|
Runtime testing required: | --- |
@blueness: thanks for the report on this security vulnerability, please call for stabilization when appropriate. @arch teams KEYWORDS="amd64 arm ppc ppc64 x86" An automated check of this bug failed - repoman reported dependency errors (29 lines truncated):
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']
(In reply to Stabilization helper bot from comment #3) > An automated check of this bug failed - repoman reported dependency errors > (29 lines truncated): > > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd'] > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd'] > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd'] I don't understand this. I just did `repoman full` and only got the following: RepoMan scours the neighborhood... KEYWORDS.dropped 3 net-vpn/tor/tor-0.3.1.6_rc.ebuild: sparc net-vpn/tor/tor-0.3.1.7.ebuild: sparc net-vpn/tor/tor-0.3.2.1_alpha.ebuild: sparc Does someone know what's going on? x86 stable An automated check of this bug failed - repoman reported dependency errors (29 lines truncated):
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd']
Stable on amd64 An automated check of this bug failed - repoman reported dependency errors (7 lines truncated):
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
arm stable An automated check of this bug failed - repoman reported dependency errors (7 lines truncated):
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
An automated check of this bug failed - repoman reported dependency errors (7 lines truncated):
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['app-arch/zstd']
> dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['app-arch/zstd']
(In reply to Anthony Basile from comment #4) > (In reply to Stabilization helper bot from comment #3) > > An automated check of this bug failed - repoman reported dependency errors > > (29 lines truncated): > > > > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd'] > > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['app-arch/zstd'] > > > dependency.bad net-vpn/tor/tor-0.3.1.7.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['app-arch/zstd'] > > > I don't understand this. I just did `repoman full` and only got the > following: > > RepoMan scours the neighborhood... > KEYWORDS.dropped 3 > net-vpn/tor/tor-0.3.1.6_rc.ebuild: sparc > net-vpn/tor/tor-0.3.1.7.ebuild: sparc > net-vpn/tor/tor-0.3.2.1_alpha.ebuild: sparc > > > Does someone know what's going on? It failed because of an incomplete package list, that's all. Maybe you had app-arch/zstd keyworded in your local tree still but forgot to add here. ppc stable. fails single backtrace test ppc64 stable GLSA Vote: No Maintainer, please clean the vulnerable versions. (In reply to Aaron Bauman from comment #15) > GLSA Vote: No > > Maintainer, please clean the vulnerable versions. okay done |
[TROVE-2017-008. CVE-2017-0380. Severity: medium] Hello! We have found a possible problem with the code that reports an error during the construction of an introduction point circuit. Because of this bug, it is possible that some hidden services will sometimes write sensitive information into their logs. This bug can only happen when the SafeLogging option is disabled, and SafeLogging is enabled by default. If you have not disabled SafeLogging, then you should be fine. We are tracking this bug as TROVE-2017-008 and as ticket #23490. It is also CVE-2017-0380. MITIGATION: 1. If you are not running a hidden service, then you don't need to do anything. This bug does not affect you. 2. If you are running 0.2.5.x, this bug does not affect you: it first appeared in 0.2.7.2-alpha. Other bugs do affect you, though: 0.2.5.x is pretty old! (If you are running 0.2.4, or 0.2.6, or 0.2.7, you should just upgrade. We aren't supporting those releases.) 3. Make sure that you did not change the value of the SafeLogging option in your configuration -- or if you did, that you set it to "1". SafeLogging needs to be turned to "0" or "relay" for this bug to occur. 4. If you did disable SafeLogging, re-enable it: Set it to 1, and use a HUP signal to tell Tor to reload its configuration. 5. If you did disable SafeLogging, you should delete any old logs that were generated with SafeLogging disabled. (You should be regularly removing old logs anyway, as a best security practice.) ACKNOWLEDGMENTS: We found this when we re-added scan-build's dead assignment checker into the checkers that we run on Tor. Obviously, it's time to make sure that scan-build gets run more frequently. FIX: There are patches for this issue linked from ticket #23490 on our bugtracker. I will be putting out updated releases today. This bug will be fixed in 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7, and 0.3.2.1-alpha.