Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5397 to the following vulnerability: Tor before 0.2.0.32 does not properly process the (1) User and (2) Group configuration options, which might allow local users to gain privileges by leveraging unintended supplementary group memberships of the Tor process. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397 http://blog.torproject.org/blog/tor-0.2.0.32-released http://www.securityfocus.com/bid/32648 http://secunia.com/advisories/33025 http://xforce.iss.net/xforce/xfdb/47101 Patch from Jacob Appelbaum and Steven Murdoch (BTS 848 and 857): https://svn.torproject.org/cgi-bin/viewcvs.cgi?rev=17255&view=rev
This issue affects the versions of the tor package, as shipped with Fedora releases of 8,9 and 10. Please upgrade to latest upstream version of apply the above patch.
All current Fedora versions are already updated to upstream version 0.2.0.23: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-10954 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10989 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10991
(In reply to comment #2) > All current Fedora versions are already updated to upstream version 0.2.0.23: Bah, 0.2.0.32 that should be, of course...
fwiw, this bug never affected any tor version shipped by fedora. There was always a patch like http://cvs.fedora.redhat.com/viewvc/rpms/tor/F-7/tor-0.1.1.26-setgroups.patch?revision=1.1&root=extras&view=markup dropping supplementary groups.