Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258833 (CVE-2009-0936) - <net-misc/tor-0.2.0.34: Multiple vulnerabilities (CVE-2009-{0936,0937,0938,0939})
Summary: <net-misc/tor-0.2.0.34: Multiple vulnerabilities (CVE-2009-{0936,0937,0938,09...
Status: RESOLVED FIXED
Alias: CVE-2009-0936
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://blog.torproject.org/blog/tor-0...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-13 10:13 UTC by Christian Faulhammer (RETIRED)
Modified: 2009-04-08 22:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Faulhammer (RETIRED) gentoo-dev 2009-02-13 10:13:49 UTC
Security fixes:
Fix an infinite-loop bug on handling corrupt votes under certain
      circumstances. Bugfix on 0.2.0.8-alpha.
Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
Avoid a potential crash on exit nodes when processing malformed
      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2009-02-13 10:35:19 UTC
Ebuild in the tree, arches please mark net-misc/tor-2.0.33 stable.  Jesse, thanks for your notice...please open a new bug if you find a new issue.  Security...my draft for the GLSA is now obsolete, as this bug should be handled there, too.  And by the way, bugs should be filed with a full package atom cat-egory/package to make search easier. :)
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-02-13 10:35:44 UTC
Of course I mean 0.2.0.34.
Comment 3 Ferris McCormick (RETIRED) gentoo-dev 2009-02-13 14:43:48 UTC
Sparc stable.
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-02-13 16:11:36 UTC
ppc64 done
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-02-13 16:15:37 UTC
ppc done
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-02-13 17:06:28 UTC
This only looks like Denial of Service issues, so rating B3. Can someone help me understand what the "Bugfix on 0.2.0.8-alpha" etc. parts mean? Is that the version the bug was introduced?
Comment 7 Markus Meier gentoo-dev 2009-02-15 11:05:04 UTC
amd64/x86 stable, all arches done.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-02-19 14:15:33 UTC
(In reply to comment #7)
> amd64/x86 stable, all arches done.

 all vulnerable versions removed, please proceed for GLSA voting.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-02-22 00:00:50 UTC
i would vote "no" because these bugs can not be easily triggered, they are close to "client-side DoS, triggered by a malicious server or relay", which does not deserve a GLSA as for me.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:59:19 UTC
It's easy to combine with existing GLSA draft and the exit node issue is a daemon crash. Furthermore, note that inserting malicious nodes into the network is easer than in server-client models.
YES
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-26 22:25:28 UTC
It's very easy to set up a server!
Voting YES, too.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-03-01 14:00:42 UTC
ok (yes-glsa)
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-03-06 22:36:49 UTC
(In reply to comment #12)
> ok (yes-glsa)

 Robert, do you want me to rework my GLSA draft or will you add these new vulnerabilites?
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:20:05 UTC
We'll edit this in GLSAmaker, but you sure can sign up for an account :-)
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-04-08 22:49:37 UTC
GLSA 200904-11