| Summary: | tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-28090) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Lécureuil <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, guillaume.royer, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | tor-0.3.5.12-1.mga7.src.rpm, tor-0.3.5.12-1.mga8.src.rpm | CVE: | CVE-2021-28089, CVE-2021-28090 |
| Status comment: | |||
|
Description
Nicolas Lécureuil
2021-03-22 11:59:52 CET
Thanks for doing this; assigning the bug to you as a reward! Assignee:
bugsquad =>
mageia Why ? this is ready for QA assigning for QA as packages are in updates_testing Assignee:
mageia =>
qa-bugs
David Walser
2021-03-26 20:41:30 CET
Summary:
Security fixes in tor ( CVE-2021-28089/CVE-2021-28090 ) =>
tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-28090) Advisory: ======================== Updated tor package fixes security vulnerabilities: The dump_desc() function that we used to dump unparseable information to disk, was called incorrectly in several places, in a way that could lead to excessive CPU usage (CVE-2021-28089). A bug in appending detached signatures to a pending consensus document could be used to crash a directory authority (CVE-2021-28090). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28090 https://blog.torproject.org/node/2009 Installation TOR on M8 XFCE. Update with QA repo and: tor-0.3.5.14-1.mga8 No problem at installation and TOR run without error codes. I don't know enough about the software to properly evaluate how it works.Can you tell me what to do to know how evaluate it. CC:
(none) =>
guillaume.royer Installed and tested without issues. Tested: - protocols: HTTP(S), IMAP, POP, DNS over SOCKS5; - clients: curl, waterfox, fetchmail, trojita; - method: explicit SOCKS5 proxy configuration, torsocks; - onion domains. $ curl --silent https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Sorry. You are not using Tor. $ curl --silent --proxy socks5h://127.0.0.1:9050 https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Congratulations. This browser is configured to use Tor. $ torsocks curl --silent https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Congratulations. This browser is configured to use Tor. $ curl --silent --proxy socks5h://127.0.0.1:9050 https://3g2upl4pq6kufc4m.onion/ | grep '<title>' <title>DuckDuckGo — Privacy, simplified.</title> System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q tor torsocks tor-0.3.5.14-1.mga7 torsocks-2.3.0-1.mga7 Whiteboard:
MGA7TOO =>
MGA7TOO MGA7-64-OK I have noticed a problem with the rpm uninstall script of the tor package.
The error caused by the following line in the uninstall script:
rm -f /var/lib/tor/*
It needs the "-R" option to remove directories.
$ LANGUAGE=C urpme tor
removing tor-0.3.5.14-1.mga7.x86_64
rm: cannot remove '/var/lib/tor/keys': Is a directory
error: %preun(tor-0.3.5.14-1.mga7.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for tor-0.3.5.14-1.mga7.x86_64
error: tor-0.3.5.14-1.mga7.x86_64: erase failed
$ rpm -q --scripts tor
preinstall scriptlet (using /bin/sh):
/usr/share/rpm-helper/add-user tor $1 toruser /var/lib/tor /bin/false
postinstall scriptlet (using /bin/sh):
/usr/bin/systemd-tmpfiles --create tor.conf
/usr/share/rpm-helper/add-service tor $1 tor
preuninstall scriptlet (using /bin/sh):
/usr/share/rpm-helper/del-service tor $1 tor
/usr/share/rpm-helper/del-service tor $1 tor-master
if [ $1 -eq 0 ]; then
rm -f /var/lib/tor/*
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -ge 1 ]; then
# Use restart instead of try-restart, as tor-master may be "inactive" even
# when there are tor.service and tor@.service instances running.
systemctl restart tor-master.service >/dev/null 2>&1 || :
fi
(In reply to Guillaume Royer from comment #5) > Installation TOR on M8 XFCE. > > Update with QA repo and: > > tor-0.3.5.14-1.mga8 > > No problem at installation and TOR run without error codes. > > I don't know enough about the software to properly evaluate how it works.Can > you tell me what to do to know how evaluate it. You got farther than I did. No error codes, but the app refused to run - I think because I simply have no idea of how to run it properly. Reading /usr/share/doc/tor/tor.html would seem to bear this out. This app is far too complicated for a novice to learn quickly enough to give an evaluation. Because the MGA7 update that PC LX tested is the same version as the one for MGA8, it is likely that functionality is the same. Since you had a clean install and were able to get the software to run without errors, and because of the critical nature of the update, I'm going to give it an OK for MGA8. Also because of the critical nature of the update, I'm going to validate it. The issues described in Comment 7 should be brought up in a new bug, especially if they are still valid in MGA8, but I don't believe they are urgent enough to hold this back. Advisory in Comment 4. Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK
Aurelien Oudelet
2021-04-12 15:34:50 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0180.html Resolution:
(none) =>
FIXED Debian has issued an advisory for this on March 16: https://www.debian.org/security/2021/dsa-4871 |