Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388769 (CVE-2011-2768) - <net-misc/tor-0.2.2.34 TLS Certificate Reuse User De-Anonymisation Security Issue (CVE-2011-{2768,2769})
Summary: <net-misc/tor-0.2.2.34 TLS Certificate Reuse User De-Anonymisation Security I...
Status: RESOLVED FIXED
Alias: CVE-2011-2768
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/46634/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-28 14:06 UTC by Agostino Sarubbo
Modified: 2012-01-23 20:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-28 14:06:14 UTC
From secunia security advisory at $URL:

Description:
The security issue is caused due to clients reusing the TLS certificate on certain connections. This can be exploited to e.g. fingerprint and de-anonymise a user by e.g. using the user's certificate identity key to probe various guard relays to determine whether or not the user is connected to them.

Solution:
Update to version 0.2.2.34.
Comment 1 Anthony Basile gentoo-dev 2011-10-28 18:23:27 UTC
@arch teams.  Please emergency stabilize tor-0.2.2.34.ebuild.
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-28 18:46:57 UTC
Thanks Tony.

(In reply to comment #1)
> @arch teams.  Please emergency stabilize tor-0.2.2.34.ebuild.

target KEYWORDS : "amd64 arm ppc ppc64 sparc x86"


and why bsd in CC?
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-29 01:14:48 UTC
amd64: pass
Comment 4 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-10-29 08:20:18 UTC
amd64 : Ok
(Haven't really thorougly tested build phase (-doc -hardened), just running it as client, relay and bridge and new defaults seems to work as expected).
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-10-29 11:10:34 UTC
amd64 done. Thanks Elijah and Tomas
Comment 6 Vicente Olivert Riera (RETIRED) gentoo-dev 2011-10-30 08:35:50 UTC
Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks.
If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks will be removed and torify no longer works:

/usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you haven't installed either?

Thanks.
Comment 7 Vicente Olivert Riera (RETIRED) gentoo-dev 2011-10-30 08:37:40 UTC
(In reply to comment #6)
> Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks.
> If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks
> will be removed and torify no longer works:
> 
> /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you
> haven't installed either?
> 
> Thanks.

Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it.
Comment 8 Anthony Basile gentoo-dev 2011-10-30 12:53:17 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks.
> > If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks
> > will be removed and torify no longer works:
> > 
> > /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you
> > haven't installed either?
> > 
> > Thanks.
> 
> Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it.

This is a different issue and you should open a different bug for it, but that's okay for now.  I will submit a stablereq for torsocks, but tsocks is out.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-11-02 14:50:10 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-11-05 19:23:14 UTC
arm/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2011-11-06 13:21:22 UTC
ppc done
Comment 12 Anthony Basile gentoo-dev 2011-11-15 15:10:22 UTC
ppc64 ping.  i'd like to remove the older vulnerable version which is the only stable ppc64 ebuild for tor.
Comment 13 Anthony Basile gentoo-dev 2011-11-26 15:32:54 UTC
Sorry ppc64, I didn't feel comfortable leaving an exploitable ebuild on the tree any longer.  I've removed tor-0.2.1.30.ebuild.  There are currently no stable tor ebuilds on ppc64.
Comment 14 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-11-26 16:50:53 UTC
ppc64 stable, last arch done
Comment 15 Agostino Sarubbo gentoo-dev 2011-11-26 17:02:44 UTC
added vote request.
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-11-28 05:52:22 UTC
Thanks, folks. Given the package, GLSA Vote: yes.
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-02 02:03:21 UTC
I included this in the GLSA for 394969.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-01-06 12:15:42 UTC
CVE-2011-2769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2769):
  Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and
  CREATE_FAST values in the Command field of a cell within an OR connection
  that it initiated, which allows remote relays to enumerate bridges by using
  these values.

CVE-2011-2768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2768):
  Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS
  certificate chain as part of an outgoing OR connection, which allows remote
  relays to bypass intended anonymity properties by reading this chain and
  then determining the set of entry guards that the client or bridge had
  selected.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 20:37:43 UTC
This issue was resolved and addressed in
 GLSA 201201-12 at http://security.gentoo.org/glsa/glsa-201201-12.xml
by GLSA coordinator Sean Amoss (ackle).