Feisty Backports

Tor is vulnerable to a rewrite vuln on the controlport

Bug #152232 reported by Adna rim
258
Affects Status Importance Assigned to Milestone
Feisty Backports
Fix Released
Undecided
Unassigned
tor (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Edgy by John Dong
Nominated for Feisty by John Dong
Nominated for Gutsy by John Dong

Bug Description

Well I already filled out a bugreport about that tor is way to outdated more than 2 months ago and you didn't care. Maybe a security-vuln will change this. Source: http://secunia.com/advisories/26301

Description:
A vulnerability has been reported in Tor, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the ControlPort (localhost:9051) handling commands without authentication when the first command was not a successful "authenticate" command. This can be exploited to e.g. modify the "torrc" file, when a user views a malicious web page containing a specially crafted POST request or via a malicious tor exit node.

Successful exploitation may compromise a user's anonymity, but requires that the ControlPort is enabled.

The vulnerability is reported in versions prior to 0.1.2.16.

Addition: The control port is activated by default. An exploit also if its just for the windows version has already been released: http://milw0rm.com/exploits/4468 , so its likly also linux-exploits are out in the wild.

CVE References

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

CVE-2007-4174

Changed in tor:
status: New → Confirmed
Revision history for this message
John Dong (jdong) wrote :

Hardy already has 1.2.17

Changed in tor:
status: Confirmed → Fix Released
Revision history for this message
John Dong (jdong) wrote :

Ok,

I will triage the backport for the purpose of having a fresh version of Tor in stable releases (I understand previous versions are being blacklisted already).

The security vulnerability, however, I have nominated for fixing in Ubuntu stable releases; I don't want to use Backports as an excuse for not doing a proper security update.

Revision history for this message
John Dong (jdong) wrote :

Oops, was overzealous in marking nominations -- please reject Gutsy nomination (not affecting Gutsy)

Revision history for this message
John Dong (jdong) wrote :

Builds and runs

ACK from Backporters.

Changed in feisty-backports:
status: New → In Progress
Revision history for this message
Sebastien Bacher (seb128) wrote :

 * Trying to backport tor...
  - <tor_0.1.2.18.orig.tar.gz: downloading from librarian>
  - <tor_0.1.2.18-1.diff.gz: downloading from librarian>
  - <tor_0.1.2.18-1.dsc: downloading from librarian>
I: Extracting tor_0.1.2.18-1.dsc ... done.
I: Building backport of tor-0.1.2.18 as 0.1.2.18-1~feisty1 ... done.

Changed in feisty-backports:
status: In Progress → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

not doing the backport in fact, the bug is not clear if the feisty or gutsy version should be backported

Changed in feisty-backports:
status: Fix Released → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

the gutsy or hardy version rather

Revision history for this message
John Dong (jdong) wrote :

Sorry for the unclearness. The Gutsy version should be backported to Feisty.

Changed in feisty-backports:
status: Incomplete → In Progress
Revision history for this message
Sebastien Bacher (seb128) wrote :

 * Trying to backport tor...
  - <tor_0.1.2.17.orig.tar.gz: downloading from librarian>
  - <tor_0.1.2.17-1.diff.gz: downloading from librarian>
  - <tor_0.1.2.17-1.dsc: downloading from librarian>
I: Extracting tor_0.1.2.17-1.dsc ... done.
I: Building backport of tor-0.1.2.17 as 0.1.2.17-1~feisty1 ... done.

Changed in feisty-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.