Bug 28628 - tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-28090)
Summary: tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-03-22 11:59 CET by Nicolas Lécureuil
Modified: 2021-05-27 23:45 CEST (History)
5 users (show)

See Also:
Source RPM: tor-0.3.5.12-1.mga7.src.rpm, tor-0.3.5.12-1.mga8.src.rpm
CVE: CVE-2021-28089, CVE-2021-28090
Status comment:


Attachments

Description Nicolas Lécureuil 2021-03-22 11:59:52 CET
There is 2 new security issues in tor.


https://blog.torproject.org/node/2009
https://bugs.torproject.org/tpo/core/tor/40316
https://bugs.torproject.org/tpo/core/tor/40286

This is fixed in mga 7/8

src:
    - tor-0.3.5.14-1.mga7
    - tor-0.3.5.14-1.mga8
Comment 1 Lewis Smith 2021-03-23 20:56:32 CET
Thanks for doing this; assigning the bug to you as a reward!

Assignee: bugsquad => mageia
Source RPM: tor => tor-0.3.5.14-1.mga7, tor-0.3.5.14-1.mga8
Whiteboard: (none) => MGA7TOO

Comment 2 Nicolas Lécureuil 2021-03-23 21:29:29 CET
Why ? this is ready for QA
Comment 3 Nicolas Lécureuil 2021-03-24 08:57:22 CET
assigning for QA as packages are in updates_testing

Assignee: mageia => qa-bugs

David Walser 2021-03-26 20:41:30 CET

Summary: Security fixes in tor ( CVE-2021-28089/CVE-2021-28090 ) => tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-28090)
Source RPM: tor-0.3.5.14-1.mga7, tor-0.3.5.14-1.mga8 => tor-0.3.5.12-1.mga7.src.rpm, tor-0.3.5.12-1.mga8.src.rpm

Comment 4 David Walser 2021-03-26 21:07:53 CET
Advisory:
========================

Updated tor package fixes security vulnerabilities:

The dump_desc() function that we used to dump unparseable information to disk,
was called incorrectly in several places, in a way that could lead to excessive
CPU usage (CVE-2021-28089).

A bug in appending detached signatures to a pending consensus document could be
used to crash a directory authority (CVE-2021-28090).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28089
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28090
https://blog.torproject.org/node/2009
Comment 5 Guillaume Royer 2021-03-28 21:50:48 CEST
Installation TOR on M8 XFCE.

Update with QA repo and: 

tor-0.3.5.14-1.mga8

No problem at installation and TOR run without error codes.

I don't know enough about the software to properly evaluate how it works.Can you tell me what to do to know how evaluate it.

CC: (none) => guillaume.royer

Comment 6 PC LX 2021-04-02 13:32:03 CEST
Installed and tested without issues.

Tested:
- protocols: HTTP(S), IMAP, POP, DNS over SOCKS5;
- clients: curl, waterfox, fetchmail, trojita;
- method: explicit SOCKS5 proxy configuration, torsocks;
- onion domains.

$ curl --silent https://check.torproject.org/  | egrep 'Congratulations|Sorry' | uniq
      Sorry. You are not using Tor.
$ curl --silent --proxy socks5h://127.0.0.1:9050 https://check.torproject.org/  | egrep 'Congratulations|Sorry' | uniq
      Congratulations. This browser is configured to use Tor.
$ torsocks curl --silent https://check.torproject.org/  | egrep 'Congratulations|Sorry' | uniq
      Congratulations. This browser is configured to use Tor.
$ curl --silent --proxy socks5h://127.0.0.1:9050 https://3g2upl4pq6kufc4m.onion/ | grep '<title>'
        <title>DuckDuckGo — Privacy, simplified.</title>


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tor torsocks
tor-0.3.5.14-1.mga7
torsocks-2.3.0-1.mga7

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => mageia

Comment 7 PC LX 2021-04-03 20:44:23 CEST
I have noticed a problem with the rpm uninstall script of the tor package.

The error caused by the following line in the uninstall script:
        rm -f /var/lib/tor/*

It needs the "-R" option to remove directories.



$ LANGUAGE=C urpme tor
removing tor-0.3.5.14-1.mga7.x86_64
rm: cannot remove '/var/lib/tor/keys': Is a directory
error: %preun(tor-0.3.5.14-1.mga7.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for tor-0.3.5.14-1.mga7.x86_64
error: tor-0.3.5.14-1.mga7.x86_64: erase failed



$ rpm -q --scripts tor
preinstall scriptlet (using /bin/sh):
/usr/share/rpm-helper/add-user tor $1 toruser /var/lib/tor /bin/false
postinstall scriptlet (using /bin/sh):
/usr/bin/systemd-tmpfiles --create tor.conf 

/usr/share/rpm-helper/add-service tor $1 tor
preuninstall scriptlet (using /bin/sh):
/usr/share/rpm-helper/del-service tor $1 tor 

/usr/share/rpm-helper/del-service tor $1 tor-master 


if [ $1 -eq 0 ]; then
        rm -f /var/lib/tor/*
fi
postuninstall scriptlet (using /bin/sh):
if [ $1 -ge 1 ]; then
    # Use restart instead of try-restart, as tor-master may be "inactive" even
    # when there are tor.service and tor@.service instances running.
    systemctl restart tor-master.service >/dev/null 2>&1 || :
fi
Comment 8 Thomas Andrews 2021-04-11 17:56:01 CEST
(In reply to Guillaume Royer from comment #5)
> Installation TOR on M8 XFCE.
> 
> Update with QA repo and: 
> 
> tor-0.3.5.14-1.mga8
> 
> No problem at installation and TOR run without error codes.
> 
> I don't know enough about the software to properly evaluate how it works.Can
> you tell me what to do to know how evaluate it.

You got farther than I did. No error codes, but the app refused to run - I think because I simply have no idea of how to run it properly. 

Reading /usr/share/doc/tor/tor.html would seem to bear this out. This app is far too complicated for a novice to learn quickly enough to give an evaluation. 

Because the MGA7 update that PC LX tested is the same version as the one for MGA8, it is likely that functionality is the same. Since you had a clean install and were able to get the software to run without errors, and because of the critical nature of the update, I'm going to give it an OK for MGA8.

Also because of the critical nature of the update, I'm going to validate it. The issues described in Comment 7 should be brought up in a new bug, especially if they are still valid in MGA8, but I don't believe they are urgent enough to hold this back.

Advisory in Comment 4.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-04-12 15:34:50 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-28089, CVE-2021-28090

Comment 9 Mageia Robot 2021-04-12 22:02:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0180.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 David Walser 2021-05-27 23:45:26 CEST
Debian has issued an advisory for this on March 16:
https://www.debian.org/security/2021/dsa-4871

Note You need to log in before you can comment on or make changes to this bug.