Bug 96320

Summary:	net-misc/tor: New release fixes security issue
Product:	Gentoo Security	Reporter:	Gustavo Felisberto (RETIRED) <humpback>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ppc-macos, rich0
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	B4 [glsa] jaervosz
Package list:		Runtime testing required:	---

Description Gustavo Felisberto (RETIRED) gentoo-dev

2005-06-16 16:12:20 UTC

I just received this from upstream:

Hi folks,

The Tor 0.1.0.10 release from a few days ago includes a fix for a bug
that might allow an attacker to read arbitrary memory (maybe even keys)
from an exit server's process space. We haven't heard any reports of
exploits yet, but hey.

So, I recommend that you all upgrade to 0.1.0.10.  :) 

If you absolutely cannot upgrade yet (for example if you're the Debian Tor
packager and your distribution is too stubborn to upgrade past libevent
1.0b, which has known crash bugs), I've included a patched tarball for
the old 0.0.9 series at:
http://tor.eff.org/dist/tor-0.0.9.10.tar.gz
http://tor.eff.org/dist/tor-0.0.9.10.tar.gz.asc

--Roger

I'm working on the ebuild for the patched version and will be comitting it soon as stable. When it is in the tree i'll post here so that a GLSA may be issued.

Comment 1 Gustavo Felisberto (RETIRED) gentoo-dev

2005-06-16 16:23:25 UTC

Version in portage fixed.
Current keywords:
KEYWORDS="x86 ~ppc ~amd64 ~ppc64 ~sparc"

As x86 was the only version with a packaged marked as stable i dont know what
the other arches must do.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-16 22:20:54 UTC

Thx Gustavo, this one is ready for GLSA decision.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-06-17 02:51:58 UTC

Given the security nature of Tor, I tend to vote yes (make that half a yes).
Gustavo: any hint whether this is public ? Can we disclose it ?

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-17 03:51:23 UTC

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-17 03:51:23 UTC

½ YES

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-17 03:56:04 UTC

*** Bug 96359 has been marked as a duplicate of this bug. ***

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-17 03:56:19 UTC

Opening

Comment 8 Gustavo Felisberto (RETIRED) gentoo-dev

2005-06-17 04:05:15 UTC

http://archives.seul.org/or/announce/Jun-2005/msg00001.html

It is a public available list so i think yes we can disclose it.

Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev

2005-06-20 00:50:49 UTC

I would also give a half vote for yes, but I'll make it a full yes so that we
get a result ;-)

Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev

2005-06-20 02:42:52 UTC

Looks like other arches had stable versions before...

ppc and ppc64, pls test 0.0.9.10 and mark stable if possible
macos and ppc-macos, you had a stable version quite a while ago, pls have a look
at 0.0.9.10 too

Comment 11 Markus Rothe (RETIRED) gentoo-dev

2005-06-20 23:04:35 UTC

stable on ppc64

Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-06-20 23:30:03 UTC

Stable on ppc.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-06-21 13:22:29 UTC

GLSA 200406-18
ppc-macos: please test and mark stable to benefit from GLSA