Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713238 (CVE-2020-10592, CVE-2020-10593) - <net-vpn/tor-{0.4.1.9,0.4.2.7}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Summary: <net-vpn/tor-{0.4.1.9,0.4.2.7}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Status: RESOLVED FIXED
Alias: CVE-2020-10592, CVE-2020-10593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.torproject.org/pipermai...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-18 16:22 UTC by Sam James
Modified: 2020-04-06 20:16 UTC (History)
1 user (show)

See Also:
Package list:
=net-vpn/tor-0.4.2.7
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 16:22:17 UTC
from tor-packagers:
>Hello!
>New tor releases are tagged and signed, and available at
>https://dist.torproject.org/ .  Please remember to check the
>signatures.

>Here are the changelog links:

>0.3.5.10: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.10
>0.4.1.9: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.1.9
>0.4.2.7: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.2.7
>0.4.3.3-alpha: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.3-alpha

>Note that these releases fix several vulnerabilities, including a
>remotely triggerable CPU DoS.  Everybody running older versions should
>upgrade to one of these.  For TROVE and CVE identifiers and more about
>the vulnerabilities, please see the ChangeLogs.

---
Further miscellaneous details:
>  This is the third stable release in the 0.4.2.x series. It backports
>  numerous fixes from later releases, including a fix for TROVE-2020-
>  002, a major denial-of-service vulnerability that affected all
>  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
>  an attacker could cause Tor instances to consume a huge amount of CPU,
>  disrupting their operations for several seconds or minutes. This
>  attack could be launched by anybody against a relay, or by a directory
>  cache against any client that had connected to it. The attacker could
>  launch this attack as much as they wanted, thereby disrupting service
>  or creating patterns that could aid in traffic analysis. This issue
>  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

---

1) CVE-2020-10592

Description from ChangeLog:
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

2) CVE-2020-10593

Description from ChangeLog:
  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.
Comment 1 Larry the Git Cow gentoo-dev 2020-03-18 16:55:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13955a3f9dd43e0146b3abf1533dab545f1754e3

commit 13955a3f9dd43e0146b3abf1533dab545f1754e3
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-18 16:50:23 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2020-03-18 16:54:30 +0000

    net-vpn/tor: Security bump
    
    Bug: https://bugs.gentoo.org/713238
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-vpn/tor/Manifest                 |  3 ++
 net-vpn/tor/tor-0.4.1.9.ebuild       | 88 ++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor-0.4.2.7.ebuild       | 90 +++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor-0.4.3.3_alpha.ebuild | 92 ++++++++++++++++++++++++++++++++++++
 4 files changed, 273 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 17:02:31 UTC
@maintainer(s): Thanks for being so quick (jinx)! 

Please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Anthony Basile gentoo-dev 2020-03-18 17:26:21 UTC
(In reply to sam_c (Security Padawan) from comment #2)
> @maintainer(s): Thanks for being so quick (jinx)! 
> 
> Please advise if you are ready for stabilization or call for stabilization
> yourself.

Its ready for stabilization:

  =net-vpn/tor-0.4.1.9 
  =net-vpn/tor-0.4.2.7


KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-20 09:02:27 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-20 09:07:09 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-20 11:28:49 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-20 11:30:06 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-21 16:48:42 UTC
arm stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:42:56 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 15:55:39 UTC
This issue was resolved and addressed in
 GLSA 202003-50 at https://security.gentoo.org/glsa/202003-50
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:56:15 UTC
Re-opening for remaining architectures.
Comment 12 Mart Raudsepp gentoo-dev 2020-03-28 10:45:36 UTC
arm64 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 17:31:27 UTC
@maintainer(s), please cleanup.
Comment 14 NATTkA bot gentoo-dev 2020-04-06 11:21:11 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 15 Anthony Basile gentoo-dev 2020-04-06 13:44:15 UTC
(In reply to Sam James (sam_c) (security padawan) from comment #13)
> @maintainer(s), please cleanup.

done
Comment 16 NATTkA bot gentoo-dev 2020-04-06 13:48:23 UTC
Unable to check for sanity:

> no match for package: =net-vpn/tor-0.4.1.9
Comment 17 Anthony Basile gentoo-dev 2020-04-06 15:36:42 UTC
(In reply to NATTkA from comment #16)
> Unable to check for sanity:
> 
> > no match for package: =net-vpn/tor-0.4.1.9

Actually, its time to move past 0.4.1 branch, so I removed it.
Comment 18 NATTkA bot gentoo-dev 2020-04-06 15:40:23 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-06 20:16:02 UTC
(In reply to Anthony Basile from comment #17)
> (In reply to NATTkA from comment #16)
> > Unable to check for sanity:
> > 
> > > no match for package: =net-vpn/tor-0.4.1.9
> 
> Actually, its time to move past 0.4.1 branch, so I removed it.

Brilliant, thanks!