Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 96320 - net-misc/tor: New release fixes security issue
Summary: net-misc/tor: New release fixes security issue
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] jaervosz
: 96359 (view as bug list)
Depends on:
Reported: 2005-06-16 16:12 UTC by Gustavo Felisberto (RETIRED)
Modified: 2005-06-21 13:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gustavo Felisberto (RETIRED) gentoo-dev 2005-06-16 16:12:20 UTC
I just received this from upstream:

Hi folks,

The Tor release from a few days ago includes a fix for a bug
that might allow an attacker to read arbitrary memory (maybe even keys)
from an exit server's process space. We haven't heard any reports of
exploits yet, but hey.

So, I recommend that you all upgrade to  :) 

If you absolutely cannot upgrade yet (for example if you're the Debian Tor
packager and your distribution is too stubborn to upgrade past libevent
1.0b, which has known crash bugs), I've included a patched tarball for
the old 0.0.9 series at:


I'm working on the ebuild for the patched version and will be comitting it soon as stable. When it is in the tree i'll post here so that a GLSA may be issued.
Comment 1 Gustavo Felisberto (RETIRED) gentoo-dev 2005-06-16 16:23:25 UTC
Version in portage fixed.
Current keywords:
KEYWORDS="x86 ~ppc ~amd64 ~ppc64 ~sparc"

As x86 was the only version with a packaged marked as stable i dont know what
the other arches must do.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-16 22:20:54 UTC
Thx Gustavo, this one is ready for GLSA decision. 
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-17 02:51:58 UTC
Given the security nature of Tor, I tend to vote yes (make that half a yes).
Gustavo: any hint whether this is public ? Can we disclose it ?
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 03:51:23 UTC

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 03:51:23 UTC
½ YES 
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 03:56:04 UTC
*** Bug 96359 has been marked as a duplicate of this bug. ***
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 03:56:19 UTC
Comment 8 Gustavo Felisberto (RETIRED) gentoo-dev 2005-06-17 04:05:15 UTC

It is a public available list so i think yes we can disclose it.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-20 00:50:49 UTC
I would also give a half vote for yes, but I'll make it a full yes so that we
get a result ;-)
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-20 02:42:52 UTC
Looks like other arches had stable versions before...

ppc and ppc64, pls test and mark stable if possible
macos and ppc-macos, you had a stable version quite a while ago, pls have a look
at too
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2005-06-20 23:04:35 UTC
stable on ppc64 
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-20 23:30:03 UTC
Stable on ppc.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-06-21 13:22:29 UTC
GLSA 200406-18
ppc-macos: please test and mark stable to benefit from GLSA