[gentoo-announce] [ GLSA 200904-11 ] Tor: Multiple vulnerabilities - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200904-11 ] Tor: Multiple vulnerabilities
Date:	Wed, 08 Apr 2009 23:03:29
Message-Id:	`200904090048.59571.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200904-11

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Tor: Multiple vulnerabilities

9

      Date: April 08, 2009

10

      Bugs: #250018, #256078, #258833

11

        ID: 200904-11

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in Tor might allow for heap corruption, Denial

19

of Service, escalation of privileges and information disclosure.

20

21

Background

22

==========

23

24

Tor is an implementation of second generation Onion Routing, a

25

connection-oriented anonymizing communication service.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package       /  Vulnerable  /                         Unaffected

32

    -------------------------------------------------------------------

33

  1  net-misc/tor     < 0.2.0.34                           >= 0.2.0.34

34

35

Description

36

===========

37

38

* Theo de Raadt reported that the application does not properly drop

39

  privileges to the primary groups of the user specified via the "User"

40

  configuration option (CVE-2008-5397).

41

42

* rovv reported that the "ClientDNSRejectInternalAddresses"

43

  configuration option is not always enforced (CVE-2008-5398).

44

45

* Ilja van Sprundel reported a heap-corruption vulnerability that

46

  might be remotely triggerable on some platforms (CVE-2009-0414).

47

48

* It has been reported that incomplete IPv4 addresses are treated as

49

  valid, violating the specification (CVE-2009-0939).

50

51

* Three unspecified vulnerabilities have also been reported

52

  (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938).

53

54

Impact

55

======

56

57

A local attacker could escalate privileges by leveraging unintended

58

supplementary group memberships of the Tor process. A remote attacker

59

could exploit these vulnerabilities to cause a heap corruption with

60

unknown impact and attack vectors, to cause a Denial of Service via CPU

61

consuption or daemon crash, and to weaken anonymity provided by the

62

service.

63

64

Workaround

65

==========

66

67

There is no known workaround at this time.

68

69

Resolution

70

==========

71

72

All Tor users should upgrade to the latest version:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.0.34"

76

77

References

78

==========

79

80

  [ 1 ] CVE-2008-5397

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397

82

  [ 2 ] CVE-2008-5398

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398

84

  [ 3 ] CVE-2009-0414

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414

86

  [ 4 ] CVE-2009-0936

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936

88

  [ 5 ] CVE-2009-0937

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937

90

  [ 6 ] CVE-2009-0938

91

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938

92

  [ 7 ] CVE-2009-0939

93

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939

94

95

Availability

96

============

97

98

This GLSA and any updates to it are available for viewing at

99

the Gentoo Security Website:

100

101

  http://security.gentoo.org/glsa/glsa-200904-11.xml

102

103

Concerns?

104

=========

105

106

Security is a primary focus of Gentoo Linux and ensuring the

107

confidentiality and security of our users machines is of utmost

108

importance to us. Any security concerns should be addressed to

109

security@g.o or alternatively, you may file a bug at

110

http://bugs.gentoo.org.

111

112

License

113

=======

114

115

Copyright 2009 Gentoo Foundation, Inc; referenced text

116

belongs to its owner(s).

117

118

The contents of this document are licensed under the

119

Creative Commons - Attribution / Share Alike license.

120

121

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200904-11
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Tor: Multiple vulnerabilities
9	Date: April 08, 2009
10	Bugs: #250018, #256078, #258833
11	ID: 200904-11
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in Tor might allow for heap corruption, Denial
19	of Service, escalation of privileges and information disclosure.
20
21	Background
22	==========
23
24	Tor is an implementation of second generation Onion Routing, a
25	connection-oriented anonymizing communication service.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-misc/tor < 0.2.0.34 >= 0.2.0.34
34
35	Description
36	===========
37
38	* Theo de Raadt reported that the application does not properly drop
39	privileges to the primary groups of the user specified via the "User"
40	configuration option (CVE-2008-5397).
41
42	* rovv reported that the "ClientDNSRejectInternalAddresses"
43	configuration option is not always enforced (CVE-2008-5398).
44
45	* Ilja van Sprundel reported a heap-corruption vulnerability that
46	might be remotely triggerable on some platforms (CVE-2009-0414).
47
48	* It has been reported that incomplete IPv4 addresses are treated as
49	valid, violating the specification (CVE-2009-0939).
50
51	* Three unspecified vulnerabilities have also been reported
52	(CVE-2009-0936, CVE-2009-0937, CVE-2009-0938).
53
54	Impact
55	======
56
57	A local attacker could escalate privileges by leveraging unintended
58	supplementary group memberships of the Tor process. A remote attacker
59	could exploit these vulnerabilities to cause a heap corruption with
60	unknown impact and attack vectors, to cause a Denial of Service via CPU
61	consuption or daemon crash, and to weaken anonymity provided by the
62	service.
63
64	Workaround
65	==========
66
67	There is no known workaround at this time.
68
69	Resolution
70	==========
71
72	All Tor users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.0.34"
76
77	References
78	==========
79
80	[ 1 ] CVE-2008-5397
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
82	[ 2 ] CVE-2008-5398
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398
84	[ 3 ] CVE-2009-0414
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414
86	[ 4 ] CVE-2009-0936
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936
88	[ 5 ] CVE-2009-0937
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937
90	[ 6 ] CVE-2009-0938
91	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938
92	[ 7 ] CVE-2009-0939
93	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939
94
95	Availability
96	============
97
98	This GLSA and any updates to it are available for viewing at
99	the Gentoo Security Website:
100
101	http://security.gentoo.org/glsa/glsa-200904-11.xml
102
103	Concerns?
104	=========
105
106	Security is a primary focus of Gentoo Linux and ensuring the
107	confidentiality and security of our users machines is of utmost
108	importance to us. Any security concerns should be addressed to
109	security@g.o or alternatively, you may file a bug at
110	http://bugs.gentoo.org.
111
112	License
113	=======
114
115	Copyright 2009 Gentoo Foundation, Inc; referenced text
116	belongs to its owner(s).
117
118	The contents of this document are licensed under the
119	Creative Commons - Attribution / Share Alike license.
120
121	http://creativecommons.org/licenses/by-sa/2.5