Delivery-Date: Sun, 22 Feb 2015 12:24:33 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 918E61E03F6
	for <archiver@seul.org>; Sun, 22 Feb 2015 12:24:31 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 127E1338D0;
	Sun, 22 Feb 2015 17:24:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 26AFB338D4
 for <tor-talk@lists.torproject.org>; Sun, 22 Feb 2015 17:24:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id F_0mSlPxUkgV for <tor-talk@lists.torproject.org>;
 Sun, 22 Feb 2015 17:24:25 +0000 (UTC)
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id C0468338C8
 for <tor-talk@lists.torproject.org>; Sun, 22 Feb 2015 17:24:24 +0000 (UTC)
Received: by mail-wg0-f51.google.com with SMTP id y19so21612869wgg.10
 for <tor-talk@lists.torproject.org>; Sun, 22 Feb 2015 09:24:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :subject:content-type;
 bh=R7fQYYYgHMIVqD5T3DpyM9o1Ss2cNRmtTOvsGfiWgJY=;
 b=fjk5swCGmfKmQQ+nbS/iAAwMQ/MTTUV5jLN6n5F+SbO/xkqxzBtRc4RGPBxWSHjZPU
 Lf2SDRolcregV7GOQI8U4oENUpXVdBMuQPjidEW836a6dsoe/arFoHDOIvqM0GLaDRb3
 WRRs4FMfhoPULsuvkP2Rm3LBFr57UE4jTHCwVUrQzVdMO0TyX5knI7OJiOB2RKaRBjI+
 E2fnBqBLiOZ4VITCi4nf0dNu5uyclXThDwEQtradPIQQ0Sb/yjUkz/JsHsAx6ap1R+5O
 unB0snKVOPxrctjfX2F0m+OjYSmuzfemfx0jNnMkUraQdCwrAuNwvtCakWhsT7OPyheK
 ytJg==
X-Gm-Message-State: ALoCoQkwUyNjXF0LJ1ePykyrm5N6KtC9QtHx6J6sQ4C8APdDeSTTpIxVbY9Ui4WIBtLtwK07wrg8
X-Received: by 10.194.200.1 with SMTP id jo1mr14321190wjc.64.1424625861232;
 Sun, 22 Feb 2015 09:24:21 -0800 (PST)
Received: from [192.168.1.67] (93-45-146-138.ip102.fastwebnet.it.
 [93.45.146.138])
 by mx.google.com with ESMTPSA id uo6sm51925608wjc.49.2015.02.22.09.24.17
 for <tor-talk@lists.torproject.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 22 Feb 2015 09:24:20 -0800 (PST)
Message-ID: <54EA10B6.1040209@evilaliv3.org>
Date: Sun, 22 Feb 2015 18:24:06 +0100
From: Giovanni Pellerano <giovanni.pellerano@evilaliv3.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Icedove/31.3.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
Subject: [tor-talk] GlobaLeaks directory traversal vulnerability has been
 discovered and fixed
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============3937435990120365667=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3937435990120365667==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="wlxeomq556k6xD070msVp28U0lIQQD8P8"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--wlxeomq556k6xD070msVp28U0lIQQD8P8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Security Advisory - 22 February 2015 18:00 CET

GlobaLeaks directory traversal vulnerability has been discovered and fixe=
d

GlobaLeaks software, starting from recent version 2.60.54 released 28
January 2015 during an intensive session of customization for new
whistleblowing projects, introduced a directory traversal vulnerability.

On 16 February 2015, with release of version 2.60.62 the issue has been
fixed.

We invite anyone that installed or upgraded GlobaLeaks software between
28 January and 16 February, whose initiative is not publicly indexed on
Wikipedia, to upgrade!

Vulnerable versions
The GlobaLeaks versions reported to be vulnerable:
2.60.61 - 2015-02-12
2.60.60 - 2015-02-10
2.60.59 - 2015-02-10
2.60.58 - 2015-02-04
2.60.57 - 2015-02-03
2.60.56 - 2015-02-03
2.60.55 - 2015-01-29
2.60.54 - 2015-01-28

Exposure
The vulnerability could potentially enabled downloading all files in
/var/globaleaks/ directory, except for Tor Hidden Service key (due to
permissions).

Out of the initiatives publicly using GlobaLeaks [1], only 4 out of 23
were found to be vulnerable due to installation/upgrades done in the
past few weeks.

We coordinated in few hours the release of the fix and the upgrades with
the adopters and the infrastructure partners that are now safe from this
vulnerability.

An analysis of the log files of /var/globaleaks/log/globaleaks* with
that 4 users revealed no disclosure of sensitive information, like the
configuration database of the GlobaLeaks node.

To check for exploitation of this vulnerability the right command is:
grep '&#47;&#47;&#47;&#47' /var/globaleaks/log/*.log*

The vulnerability has been introduced with commit
4d59f7cc23256abf0e26755b0005044813e9c225 [2] fixing the issue #1110 [3].
The vulnerability has been fixed in commit
495c8e33a98e29a4bbe471f98d240ee9e077c738 [4].

It shall be further noted that, if globaleaks were deployed on a system
without AppArmor properly activated/installed, the vulnerability would
enable the download of all files of the system that are world-wide
readable, because of a collateral bug that did not prevent globaleaks
from starting if AppArmor was not available (but enabled, as it is by
default).
Release 2.60.62 fix this issue also; now GlobaLeaks won't start if the
AppArmor check fails.

It should be noted that since all submitted documents are encrypted
using openPGP this content was never exposed or endangered due to this bu=
g.

Acknowledgements
We want to thanks a hacker (that prefers to remain un-named), supporter
of opensource and anonymity software, that spotted the security bug and
responsibly reported to us, allowing an ordered handling of the issue.

Apologizes
As GlobaLeaks team we apologize for the inconvenience and for the
pressure we=E2=80=99ve put on the adopters to upgrade so quickly and to a=
ssess
if any real information exposure happened.

This vulnerability has been introduced by mistake by working/supporting
the customizations and improvements of new whistleblowing projects that
are now starting on a monthly basis, bringing a lot of pressure.

We=E2=80=99re better organizing our procedures, getting out from
over-working/under-pressure, with proper code-review and release
management for any new public release.

The many major improvement being done under 2014-2015 Roadmap will
further improve the software with multi-process segregated architecture
(postfix=E2=80=99s like) and client-side encryption.

Transparency
We are committed to full transparency regarding our software development
practices, including security vulnerabilities, publishing all
Penetration Tests Results [5], inviting for new bugs to be spotted by
hackers that work for the greater good with our Bug Bounty program [6].

[1] https://en.wikipedia.org/wiki/GlobaLeaks#Implementations
[2]
https://github.com/globaleaks/GlobaLeaks/commit/4d59f7cc23256abf0e26755b0=
005044813e9c225
[3] https://github.com/globaleaks/GlobaLeaks/issues/1110
[4]
https://github.com/globaleaks/GlobaLeaks/commit/495c8e33a98e29a4bbe471f98=
d240ee9e077c738
[5] https://github.com/globaleaks/GlobaLeaks/wiki/Penetration-Tests
[6] https://www.globaleaks.org/bughunting/

HERMES Center for Transparency and Digital Human Rights
http://logioshermes.org
GlobaLeaks Project https://globaleaks.org
Contact: info@globaleaks.org
IRC: irc.oftc.net #globaleaks


--wlxeomq556k6xD070msVp28U0lIQQD8P8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTqELYACgkQkeybuNmpUN6wygCgk6VDyqDNboYGFXH5TpRKLJbN
vEAAoIxaCTamuKNt47FSMhUxWjidGk7Z
=IUxN
-----END PGP SIGNATURE-----

--wlxeomq556k6xD070msVp28U0lIQQD8P8--

--===============3937435990120365667==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============3937435990120365667==--

