Bug 1059194 - (CVE-2017-0380) VUL-0: CVE-2017-0380: tor: Stack disclosure in hidden services logs when SafeLogging disabled
(CVE-2017-0380)
VUL-0: CVE-2017-0380: tor: Stack disclosure in hidden services logs when Safe...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/192154/
CVSSv2:SUSE:CVE-2017-0380:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-18 16:23 UTC by Andreas Stieger
Modified: 2017-09-26 22:42 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-09-18 16:23:34 UTC
https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html

[TROVE-2017-008.  CVE-2017-0380. Severity: medium]

Hello!

  We have found a possible problem with the code that reports an error
  during the construction of an introduction point circuit.  Because
  of this bug, it is possible that some hidden services will sometimes
  write sensitive information into their logs.

  This bug can only happen when the SafeLogging option is disabled,
  and SafeLogging is enabled by default.  If you have not disabled
  SafeLogging, then you should be fine.

  We are tracking this bug as TROVE-2017-008 and as ticket #23490. It
  is also CVE-2017-0380.


MITIGATION:

   1. If you are not running a hidden service, then you don't need
      to do anything.  This bug does not affect you.

   2. If you are running 0.2.5.x, this bug does not affect you: it
      first appeared in 0.2.7.2-alpha.  Other bugs do affect you,
      though: 0.2.5.x is pretty old!

      (If you are running 0.2.4, or 0.2.6, or 0.2.7, you should just
      upgrade. We aren't supporting those releases.)

   3. Make sure that you did not change the value of the SafeLogging
      option in your configuration -- or if you did, that you set it
      to "1".  SafeLogging needs to be turned to "0" or "relay" for
      this bug to occur.

   4. If you did disable SafeLogging, re-enable it: Set it to 1, and
      use a HUP signal to tell Tor to reload its configuration.

   5. If you did disable SafeLogging, you should delete any old logs
      that were generated with SafeLogging disabled.

      (You should be regularly removing old logs anyway, as a best
      security practice.)


ACKNOWLEDGMENTS:

    We found this when we re-added scan-build's dead assignment
    checker into the checkers that we run on Tor.  Obviously, it's
    time to make sure that scan-build gets run more frequently.

FIX:

    There are patches for this issue linked from ticket #23490 on
    our bugtracker.

    I will be putting out updated releases today.  This bug will be
    fixed in 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7, and
    0.3.2.1-alpha.
Comment 1 Bernhard Wiedemann 2017-09-18 18:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (1059194) was mentioned in
https://build.opensuse.org/request/show/527085 Factory / tor
https://build.opensuse.org/request/show/527090 42.2+42.3 / tor
Comment 2 Bernhard Wiedemann 2017-09-18 20:01:09 UTC
This is an autogenerated message for OBS integration:
This bug (1059194) was mentioned in
https://build.opensuse.org/request/show/527120 Factory / tor
Comment 3 Bernhard Wiedemann 2017-09-20 16:00:57 UTC
This is an autogenerated message for OBS integration:
This bug (1059194) was mentioned in
https://build.opensuse.org/request/show/527563 Factory / tor
Comment 4 Andreas Stieger 2017-09-26 18:33:12 UTC
done
Comment 5 Swamp Workflow Management 2017-09-26 22:08:31 UTC
openSUSE-SU-2017:2573-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1059194
CVE References: CVE-2017-0380
Sources used:
openSUSE Leap 42.3 (src):    tor-0.3.0.11-3.1
openSUSE Leap 42.2 (src):    tor-0.2.9.12-8.6.1