Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713238 (CVE-2020-10592, CVE-2020-10593) - <net-vpn/tor-{0.4.1.9,0.4.2.7}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Summary: <net-vpn/tor-{0.4.1.9,0.4.2.7}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Status: RESOLVED FIXED
Alias: CVE-2020-10592, CVE-2020-10593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.torproject.org/pipermai...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-18 16:22 UTC by Sam James
Modified: 2020-04-06 20:16 UTC (History)
1 user (show)

See Also:
Package list:
=net-vpn/tor-0.4.2.7
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 16:22:17 UTC 
from tor-packagers:
>Hello!
>New tor releases are tagged and signed, and available at
>https://dist.torproject.org/ .  Please remember to check the
>signatures.

>Here are the changelog links:

>0.3.5.10: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.10
>0.4.1.9: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.1.9
>0.4.2.7: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.2.7
>0.4.3.3-alpha: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.3-alpha

>Note that these releases fix several vulnerabilities, including a
>remotely triggerable CPU DoS.  Everybody running older versions should
>upgrade to one of these.  For TROVE and CVE identifiers and more about
>the vulnerabilities, please see the ChangeLogs.

---
Further miscellaneous details:
>  This is the third stable release in the 0.4.2.x series. It backports
>  numerous fixes from later releases, including a fix for TROVE-2020-
>  002, a major denial-of-service vulnerability that affected all
>  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
>  an attacker could cause Tor instances to consume a huge amount of CPU,
>  disrupting their operations for several seconds or minutes. This
>  attack could be launched by anybody against a relay, or by a directory
>  cache against any client that had connected to it. The attacker could
>  launch this attack as much as they wanted, thereby disrupting service
>  or creating patterns that could aid in traffic analysis. This issue
>  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

---

1) CVE-2020-10592

Description from ChangeLog:
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

2) CVE-2020-10593

Description from ChangeLog:
  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.
Comment 1 Larry the Git Cow gentoo-dev 2020-03-18 16:55:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13955a3f9dd43e0146b3abf1533dab545f1754e3

commit 13955a3f9dd43e0146b3abf1533dab545f1754e3
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-18 16:50:23 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2020-03-18 16:54:30 +0000

    net-vpn/tor: Security bump
    
    Bug: https://bugs.gentoo.org/713238
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-vpn/tor/Manifest                 |  3 ++
 net-vpn/tor/tor-0.4.1.9.ebuild       | 88 ++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor-0.4.2.7.ebuild       | 90 +++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor-0.4.3.3_alpha.ebuild | 92 ++++++++++++++++++++++++++++++++++++
 4 files changed, 273 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 17:02:31 UTC 
@maintainer(s): Thanks for being so quick (jinx)! 

Please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Anthony Basile gentoo-dev 2020-03-18 17:26:21 UTC 
(In reply to sam_c (Security Padawan) from comment #2)
> @maintainer(s): Thanks for being so quick (jinx)! 
> 
> Please advise if you are ready for stabilization or call for stabilization
> yourself.

Its ready for stabilization:

  =net-vpn/tor-0.4.1.9 
  =net-vpn/tor-0.4.2.7


KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-20 09:02:27 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-20 09:07:09 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-20 11:28:49 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-20 11:30:06 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-21 16:48:42 UTC 
arm stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:42:56 UTC 
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 15:55:39 UTC 
This issue was resolved and addressed in
 GLSA 202003-50 at https://security.gentoo.org/glsa/202003-50
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 15:56:15 UTC 
Re-opening for remaining architectures.
Comment 12 Mart Raudsepp gentoo-dev 2020-03-28 10:45:36 UTC 
arm64 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 17:31:27 UTC 
@maintainer(s), please cleanup.
Comment 14 NATTkA bot gentoo-dev Security 2020-04-06 11:21:11 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 15 Anthony Basile gentoo-dev 2020-04-06 13:44:15 UTC 
(In reply to Sam James (sam_c) (security padawan) from comment #13)
> @maintainer(s), please cleanup.

done
Comment 16 NATTkA bot gentoo-dev Security 2020-04-06 13:48:23 UTC 
Unable to check for sanity:

> no match for package: =net-vpn/tor-0.4.1.9
Comment 17 Anthony Basile gentoo-dev 2020-04-06 15:36:42 UTC 
(In reply to NATTkA from comment #16)
> Unable to check for sanity:
> 
> > no match for package: =net-vpn/tor-0.4.1.9

Actually, its time to move past 0.4.1 branch, so I removed it.
Comment 18 NATTkA bot gentoo-dev Security 2020-04-06 15:40:23 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-06 20:16:02 UTC 
(In reply to Anthony Basile from comment #17)
> (In reply to NATTkA from comment #16)
> > Unable to check for sanity:
> > 
> > > no match for package: =net-vpn/tor-0.4.1.9
> 
> Actually, its time to move past 0.4.1 branch, so I removed it.

Brilliant, thanks!