Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 890618 (CVE-2023-23589, TROVE-2022-002)

Summary: <net-vpn/tor-0.4.7.13: unsafe SOCKS4 handling for SafeSocks option
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 890740    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-13 04:37:24 UTC
From ChangeLog:
```
   25   o Major bugfixes (TROVE-2022-002, client):
   26     - The SafeSocks option had its logic inverted for SOCKS4 and
   27       SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe
   28       SOCKS4a one. This is TROVE-2022-002 which was reported on
   29       Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alph
```
Comment 1 Larry the Git Cow gentoo-dev 2023-01-13 04:40:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ebd93d62b377c717147ceedb1d3947f3539cce2

commit 7ebd93d62b377c717147ceedb1d3947f3539cce2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-13 04:40:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-13 04:40:04 +0000

    net-vpn/tor: add 0.4.7.13
    
    Bug: https://bugs.gentoo.org/890618
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest            |   3 +
 net-vpn/tor/tor-0.4.7.13.ebuild | 126 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-01-26 21:47:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=945fc2c2e5f0a69c6d4f60f2d2c6035d01251415

commit 945fc2c2e5f0a69c6d4f60f2d2c6035d01251415
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-26 21:46:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-26 21:47:06 +0000

    net-vpn/tor: drop 0.4.7.11, 0.4.7.12
    
    Bug: https://bugs.gentoo.org/890618
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-vpn/tor/Manifest            |   6 --
 net-vpn/tor/tor-0.4.7.11.ebuild | 126 ----------------------------------------
 net-vpn/tor/tor-0.4.7.12.ebuild | 126 ----------------------------------------
 3 files changed, 258 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-27 05:52:25 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2023-05-03 09:54:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=464847c4e70c07cfb07a8715f613e418da18698e

commit 464847c4e70c07cfb07a8715f613e418da18698e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:53:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:23 +0000

    [ GLSA 202305-11 ] Tor: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/808681
    Bug: https://bugs.gentoo.org/852821
    Bug: https://bugs.gentoo.org/890618
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-11.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)