Bug 3953

Summary: security update: tor
Product: Mageia Reporter: Tom Tom <tommi.dssd>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: High CC: davidwhodgins, dmorganec, doktor5000, sysadmin-bugs, tmb
Version: 1Keywords: Triaged, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tor CVE:
Status comment:

Description Tom Tom 2011-12-30 20:47:57 CET 
Die Tor-Version in den Quellen ist total veraltert und sollte dringend aktualisiert werden. Ich habe aus den Quellen die Torversion 0.2.1.30 und in einem FAQ auf torproject.org ist schon die rede von einer Version 0.2.2.35. Das dürften schon eine Menge Versionen sein, die in den Quellen ausgelassen wurden und da die Versionsnummer aus einem FAQ ist, ist die Wahrscheinlichkeit nicht gerade gering daà das auch nicht die aktuelle Versionsnummer ist. Die aktuelle Torversion muà sehr dringend in die Quellen!

The Torversion in the sources is totally outdated and should be urgently updated. I torproject.org from sources which Torversion 0.2.1.30 and an FAQ on is already the talk of a version 0.2.2.35. That should have been a lot of versions, which were omitted in the sources and because the version number is from a FAQ, is not just the probability that the low and not the current version number. The current Torversion must be very strongly in the sources!


Translated by Google
Tom Tom 2011-12-30 20:51:26 CET

Keywords: (none) => NO_PATCH, Security
Priority: Normal => High
Target Milestone: --- => Mageia 1

Comment 1 Manuel Hiebel 2011-12-30 21:18:49 CET 
Hi, thanks for reporting this bug.

in Mageia 1 we have 0.2.1.30
in cauldron 0.2.2.35

we can't update to a new release, only bug/security fix are alowed

but indeed seems there is some CVE against tor.
after a *quick* cheking, at least http://osvdb.org/show/osvdb/69944

Assigned to the package maintainer.

Keywords: NO_PATCH, Security => Triaged
Component: BuildSystem => Security
Hardware: i586 => All
Version: unspecified => Cauldron
Assignee: sysadmin-bugs => bugsquad
Product: Infrastructure => Mageia
Summary: Tor ist total veraltet => security update: tor
Source RPM: (none) => tor

Manuel Hiebel 2011-12-30 21:27:02 CET

Assignee: bugsquad => boklm

Florian Hubold 2011-12-30 21:37:20 CET

CC: (none) => doktor5000
Version: Cauldron => 1
Target Milestone: Mageia 1 => ---

Comment 2 Florian Hubold 2011-12-30 21:52:33 CET 
(In reply to comment #1)
> but indeed seems there is some CVE against tor.
> after a *quick* cheking, at least http://osvdb.org/show/osvdb/69944

not affecting the mga1 package, citing from
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1676 :
" Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0.2.2.20-alpha ..."

But there's http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2778
which should be fixed by https://gitweb.torproject.org/tor.git/commitdiff/9d0777839be6642954a4c064c819d406d8bb7cb4
Comment 3 D Morgan 2012-01-02 01:47:43 CET 
pushed in updates_testing

CC: (none) => dmorganec
Assignee: boklm => qa-bugs

Comment 4 claire robinson 2012-01-03 16:51:02 CET 
No POC for the CVE so testing functionality only.

lib64tsocks1-1.8-0.beta5.7.mga1.x86_64 installed
tsocks-1.8-0.beta5.7.mga1.x86_64 installed
tor-0.2.1.30-1.1.mga1.x86_64 installed


$ tor
Jan 03 15:30:33.976 [notice] Tor v0.2.1.30. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Jan 03 15:30:33.977 [notice] Initialized libevent version 2.0.10-stable using method epoll. Good.
Jan 03 15:30:33.977 [notice] Opening Socks listener on 127.0.0.1:9050
Jan 03 15:30:33.977 [notice] Parsing GEOIP file.
Jan 03 15:30:34.131 [notice] OpenSSL OpenSSL 1.0.0d 8 Feb 2011 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jan 03 15:30:34.223 [warn] Please upgrade! This version of Tor (0.2.1.30) is obsolete, according to the directory authorities. Recommended versions are: 0.2.1.32,0.2.2.35,0.2.3.10-alpha
Jan 03 15:30:34.587 [notice] We now have enough directory information to build circuits.
Jan 03 15:30:34.587 [notice] Bootstrapped 80%: Connecting to the Tor network.
Jan 03 15:30:34.617 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Jan 03 15:30:34.764 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Jan 03 15:30:35.056 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 03 15:30:35.056 [notice] Bootstrapped 100%: Done.

Aside from the warning of being obsolete..

Added FoxyProxy addon to firefox and added localhost:9050 as a socks5 proxy, could just be set in firefox (or whatever you want to use) proxy settings.

Enabled the tor proxy and browsed to check.torproject.org

Was told tor was enabled and given the apparent IP address.

Used ctrl-c to exit the running tor process and used
# service tor start
to verify it started as a service and check.torproject.org OK'd the connection.

Testing complete x86_64
Comment 5 Dave Hodgins 2012-01-03 21:36:24 CET 
Testing complete on i586 using the same procedure.  Thanks Claire!

Could someone from the sysadmin team push the srpm
tor-0.2.1.30-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:  This security update for the tor package corrects CVE-2011-2778.
Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by (1) establishing a SOCKS connection to SocksPort or (2) leveraging a SOCKS proxy configuration.

https://bugs.mageia.org/show_bug.cgi?id=3953

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2012-01-03 21:38:02 CET 
Sorry, forgot to add keyword and email.

Could someone from the sysadmin team push the srpm
tor-0.2.1.30-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:  This security update for the tor package corrects CVE-2011-2778.
Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote
attackers to cause a denial of service (memory corruption) or possibly execute
arbitrary code by (1) establishing a SOCKS connection to SocksPort or (2)
leveraging a SOCKS proxy configuration.

https://bugs.mageia.org/show_bug.cgi?id=3953

Keywords: (none) => validated_update

Comment 7 Thomas Backlund 2012-01-04 12:46:08 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED