Bug 13824

Summary: tor new security issue CVE-2014-5117
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, markkuehn, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/607283/
Whiteboard: MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-32-ok mga3-64-ok advisory
Source RPM: tor-0.2.4.22-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-30 20:56:06 CEST 
Details of a vulnerability fixed upstream have been released today (July 30):
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5117

The issue is fixed in version 0.2.4.23.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated tor package fixes security vulnerability:

Tor before 0.2.4.23 maintains a circuit after an inbound RELAY_EARLY cell is
received by a client, which makes it easier for remote attackers to conduct
traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY
cells as a means of communicating information about hidden service names
(CVE-2014-5117).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5117
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5117
https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
========================

Updated packages in core/updates_testing:
========================
tor-0.2.4.23-1.mga3
tor-0.2.4.23-1.mga4

from SRPMS:
tor-0.2.4.23-1.mga3.src.rpm
tor-0.2.4.23-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-30 20:56:12 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-07-31 19:56:48 CEST 
Debian has issued an advisory for this today (July 31):
https://www.debian.org/security/2014/dsa-2993

URL: (none) => http://lwn.net/Vulnerabilities/607283/

Comment 2 Rémi Verschelde 2014-08-01 15:49:53 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 Mark Kay 2014-08-03 06:03:13 CEST 
Testing complete for x64 using Claire's procedure from https://bugs.mageia.org/show_bug.cgi?id=3953#c4:

Installed:
- tor-0.2.4.23-1.mga4
- lib64tsocks1-1.8-0.beta5.13.mga4.x86_64
- tsocks-1.8-0.beta5.13.mga4.x86_64

[frames@localhost ~]$ tor
Aug 02 23:55:48.949 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1e.
Aug 02 23:55:48.949 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 02 23:55:48.949 [notice] Read configuration file "/etc/tor/torrc".
Aug 02 23:55:48.951 [notice] Opening Socks listener on 127.0.0.1:9050
Aug 02 23:55:48.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Aug 02 23:55:48.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Aug 02 23:55:49.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.
Aug 02 23:55:49.000 [notice] We now have enough directory information to build circuits.
Aug 02 23:55:49.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Aug 02 23:55:50.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Aug 02 23:55:51.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Aug 02 23:55:52.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 02 23:55:52.000 [notice] Bootstrapped 100%: Done.

No warnings or errors.

Installed proxy addon in Firefox and was able to verify Tor connection on https://check.torproject.org/.

Also started Tor service:
[root@localhost ~]# service tor start
Starting tor (via systemctl):                                    [  OK  ]

Again, went to https://check.torproject.org/ and verified Tor was active.

Stopped Tor service:
[root@localhost ~]# service tor stop
Stopping tor (via systemctl):                                    [  OK  ]

Stopped successfully.

No issues at all.

CC: (none) => markkuehn

Comment 4 Mark Kay 2014-08-03 06:13:10 CEST 
Test also successful for i586 using the same procedure, but pulled an extra package than x64 (libevent5-2.0.21-5):

- tor-0.2.4.23-1.mga4.i586
- libevent5-2.0.21-5.mga4.i586
- libtsocks1-1.8-0.beta5.13.mga4.i586
- tsocks-1.8-0.beta5.13.mga4.i586

[frames@localhost ~]$ tor
Aug 03 00:08:15.349 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1e.
Aug 03 00:08:15.349 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 03 00:08:15.349 [notice] Read configuration file "/etc/tor/torrc".
Aug 03 00:08:15.351 [notice] Opening Socks listener on 127.0.0.1:9050
Aug 03 00:08:15.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Aug 03 00:08:15.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Aug 03 00:08:15.000 [notice] We now have enough directory information to build circuits.
Aug 03 00:08:15.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Aug 03 00:08:16.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Aug 03 00:08:17.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Aug 03 00:08:18.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 03 00:08:18.000 [notice] Bootstrapped 100%: Done.

Same procedures the check Tor was enabled as above.  All was successful.
Mark Kay 2014-08-03 06:16:07 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK

Comment 5 claire robinson 2014-08-04 18:43:13 CEST 
Testing complete mga4 64

Whiteboard: MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK => MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-64-ok

Comment 6 claire robinson 2014-08-04 18:43:26 CEST 
mga3 64 even
Comment 7 claire robinson 2014-08-04 18:50:41 CEST 
Testing complete mga3 32

Ready for validating, sorry I don't have time now to do the advisory.

Whiteboard: MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-64-ok => MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-32-ok mga3-64-ok

Comment 8 Rémi Verschelde 2014-08-04 20:04:20 CEST 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-32-ok mga3-64-ok => MGA3TOO has_procedure, MGA4-32-OK, MGA4-64-OK mga3-32-ok mga3-64-ok advisory

Comment 9 Rémi Verschelde 2014-08-04 20:09:51 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Colin Guthrie 2014-08-05 22:24:16 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0312.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED