[Bug 1207110] New: VUL-0: tor: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through (TROVE-2022-002)
http://bugzilla.opensuse.org/show_bug.cgi?id=1207110 Bug ID: 1207110 Summary: VUL-0: tor: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through (TROVE-2022-002) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: bwiedemann@suse.com Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de Found By: --- Blocker: --- It was discovered that tor before 0.4.5.16 / 0.4.7.13 had an inverted logic for the SafeSocks options for SOCKS4 and SOCKS4a. The could load to tor client users who relied on the "SafeSocks 1" option to avoid DNS leaks to have unsafe Tor traffic. The incorrect implementation would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. References: https://gitlab.torproject.org/tpo/core/tor/-/issues/40730 https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd95... https://hackerone.com/bugs?subject=torproject&report_id=1784589 https://lists.torproject.org/pipermail/tor-announce/2023-January/000261.html https://forum.torproject.net/t/stable-release-0-4-5-16-and-0-4-7-13/6216 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207110 http://bugzilla.opensuse.org/show_bug.cgi?id=1207110#c1 --- Comment #1 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1207110) was mentioned in https://build.opensuse.org/request/show/1058127 Factory / tor https://build.opensuse.org/request/show/1058128 Backports:SLE-15-SP3 / tor https://build.opensuse.org/request/show/1058129 Backports:SLE-15-SP4 / tor https://build.opensuse.org/request/show/1058130 Backports:SLE-15-SP5 / tor -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com