Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250018 (CVE-2008-5397) - net-misc/tor < 2.0.32 Does not drop privileges (CVE-2008-{5397,5398})
Summary: net-misc/tor < 2.0.32 Does not drop privileges (CVE-2008-{5397,5398})
Status: RESOLVED FIXED
Alias: CVE-2008-5397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-06 11:12 UTC by Matti Bickel (RETIRED)
Modified: 2009-04-08 22:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2008-12-06 11:12:33 UTC
From secunia:
1) The application does not properly drop privileges to the primary
groups of the user specified via the "User" parameter. This may
result in the tor process running with higher privileges than
intended.

Note: This may affect UNIX like operating systems only.

2) The "ClientDNSRejectInternalAddresses" configuration option is not
always enforced, which weakens the security and could open a vector
for further attacks.

SOLUTION:
Update to version 0.2.0.32.
https://www.torproject.org/download.html

PROVIDED AND/OR DISCOVERED BY:
1) Theo de Raadt
2) rovv

ORIGINAL ADVISORY:
http://blog.torproject.org/blog/tor-0.2.0.32-released
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2008-12-06 11:13:38 UTC
Please provide the newest ebuild..
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2008-12-06 12:31:05 UTC
New version is in the tree, thanks mabi.  Arches please stabilise

net-misc/tor-0.2.0.32
target KEYWORDS are: amd64 ppc ppc64 sparc x86 ~x86-fbsd

Sparc, please check if bug 246483 is still relevant.  I removed the patch from 0.2.0.31 as upstream mentions the bug in its ChangeLog.

security team, I could not find a CVE assigned.
Comment 3 Richard Freeman gentoo-dev 2008-12-07 15:08:20 UTC
amd64 stable
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-07 15:32:06 UTC
ppc stable
Comment 5 Markus Meier gentoo-dev 2008-12-08 18:47:38 UTC
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-12-08 19:40:12 UTC
ppc64 stable
Comment 7 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-09 19:56:34 UTC
sparc stable

(In reply to comment #2)
> Sparc, please check if bug 246483 is still relevant.  I removed the patch from
> 0.2.0.31 as upstream mentions the bug in its ChangeLog.

All good
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-09 22:38:23 UTC
Ready for vote, I vote YES.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-10 10:23:47 UTC
Handling CVE-2008-5398 also here, because the same versions are affected and this bug fixes CVE-2008-5398, too.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-10 10:25:11 UTC
CVE-2008-5397:
Tor before 0.2.0.32 does not properly process the (1) User and (2) Group configuration options, which might allow local users to gain privileges by leveraging unintended supplementary group memberships of the Tor process. 

CVE-2008-5398:
Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddresses configuration option in situations where an exit relay issues a policy-based refusal of a stream, which allows remote exit relays to have an unknown impact by mapping an internal IP address to the destination hostname of a refused stream. 
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 18:54:21 UTC
Yes, too. Request filed.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-02-08 22:29:41 UTC
(In reply to comment #11)
> Yes, too. Request filed.

 Can I help to prepare the GLSA?  Or what is the status?

Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-02-08 22:34:27 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > Yes, too. Request filed.
> 
>  Can I help to prepare the GLSA?  Or what is the status?
> 

Just the request currently, a draft would be highly appreciated. :/
Comment 14 svrmarty 2009-02-15 13:21:07 UTC
higher version needed,

see bug #258833
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-04-08 22:49:23 UTC
GLSA 200904-11