Ubuntu
tor package

Security fixes in tor 0.2.0.32 .33 .34

Bug #321102 reported by JensLechtenboerger
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tor (Debian)
Fix Released
Unknown
tor (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Won't Fix
High
Unassigned
Gutsy
Won't Fix
High
Unassigned
Hardy
Fix Released
High
Unassigned
Intrepid
Fix Released
High
Unassigned

Bug Description

Tor 0.2.0.34 contains:

  o Security fixes:
    - Fix an infinite-loop bug on handling corrupt votes under certain
      circumstances. Bugfix on 0.2.0.8-alpha.
    - Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
    - Avoid a potential crash on exit nodes when processing malformed
      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.

-----

Tor 0.2.0.33 comes with the following changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms"
(From http://archives.seul.org/or/announce/Jan-2009/msg00000.html)

-----

  Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
  packages (and maybe other packages) noticed by Theo de Raadt, fixes
  a smaller security flaw that might allow an attacker to access local
  services, further improves hidden service performance, and fixes a
  variety of other issues.

  o Security fixes:
    - The "User" and "Group" config options did not clear the
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.

https://www.torproject.org/svn/trunk/ChangeLog

See original description
Revision history for this message
Hew (hew) wrote :

Thanks for your report. You have mentioned a number of issues:

I notice there was a major security fix in 0.2.0.32 (that specifically mentions Ubuntu), as well as the fix you mentioned in 0.2.0.33. This bug should be used for the security problem/s as per https://wiki.ubuntu.com/SecurityUpdateProcedures.

The latest version in Ubuntu is tor 0.2.0.32-1 in Jaunty. I have filed a sync request for 0.2.0.33-1 at bug 321122.

If you are interested in having the latest version of tor in Ubuntu Hardy, please file a backport request as described at https://help.ubuntu.com/community/UbuntuBackports .

Hew (hew)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: Security fixes in tor 0.2.0.32 and .33

Jaunty now has 0.2.0.33-1

Changed in tor:
status: New → Fix Released
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Revision history for this message
JensLechtenboerger (lechten) wrote :

Many thanks for your quick responses!
As I wrote via e-mail already (hoping it would appear here automagically):
I'm sorry, but I've never created a debdiff.
To be honest I don't think that separate debdiffs are worth the trouble. Tor is under constant development, and lots of bugs (ordinary ones as well as attacks against its anonymity goal) are fixed frequently.

In my view, this kind of software requires the use of the newest release. Otherwise, it's just dangerous.
I filed a backport request as suggested by Hew McLachlan:
https://bugs.launchpad.net/bugs/321520

Revision history for this message
Greg (pcguy11) wrote :

Tor 0.2.0.34 is out and fixes a security issue

Hew (hew)
description: updated
Revision history for this message
Nizar Kerkeni (nizarus) wrote :

tor is no more available in jaunty :/
why it's removed from repository ?

Revision history for this message
Hew (hew) wrote :

Nizar, please see bug 328442 for why it's been removed.

With tor 0.2.0.34 in hardy- and intrepid-proposed, the security issues will be fixed in these releases. Marking Fix Committed.

Changed in tor (Ubuntu Intrepid):
status: Confirmed → Fix Committed
Changed in tor (Ubuntu Hardy):
status: Confirmed → Fix Committed
Revision history for this message
Hew (hew) wrote :

Gutsy is EoL, marking Won't Fix.

Changed in tor (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Hew (hew)
Changed in tor (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in tor (Ubuntu Hardy):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in tor (Debian):
status: Unknown → Fix Released
Rolf Leggewie (r0lf)
Changed in tor (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.