808681 – (CVE-2021-38385, TROVE-2021-007) <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)

Bug 808681 (CVE-2021-38385, TROVE-2021-007) - <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)

Summary: <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)

Status:	RESOLVED FIXED

Alias:	CVE-2021-38385, TROVE-2021-007

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://lists.torproject.org/pipermai...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-08-17 04:49 UTC by Sam James
Modified:	2023-05-03 09:57 UTC (History)
CC List:	0 users

See Also:
Package list:	net-vpn/tor-0.4.5.10 net-vpn/tor-0.4.6.7
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-08-17 04:49:11 UTC

See https://lists.torproject.org/pipermail/tor-packagers/2021-August/000128.html.

Description:
"
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
"

Releases (for us): 0.4.5.10, 0.4.6.7. Please bump, thanks!

Comment 1 Anthony Basile gentoo-dev

2021-08-17 14:03:53 UTC

These are in the tree now.  Tor is very good about pushing out working products, so let's go ahead and stabilize.

Comment 2 Sam James archtester

2021-08-17 14:20:59 UTC

(In reply to Anthony Basile from comment #1)
> These are in the tree now.  Tor is very good about pushing out working
> products, so let's go ahead and stabilize.

Thanks!

Comment 3 Sam James archtester

2021-08-17 21:38:24 UTC

ppc done

Comment 4 Sam James archtester

2021-08-17 21:38:32 UTC

ppc64 done

Comment 5 Sam James archtester

2021-08-18 01:41:13 UTC

arm done

Comment 6 Sam James archtester

2021-08-18 01:45:52 UTC

x86 done

Comment 7 Sam James archtester

2021-08-19 01:06:14 UTC

arm64 done

Comment 8 Agostino Sarubbo gentoo-dev

2021-08-19 01:26:33 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 9 Anthony Basile gentoo-dev

2021-08-24 20:18:57 UTC

(In reply to Agostino Sarubbo from comment #8)
> amd64 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

the vulnerable version is off the tree

Comment 10 John Helmert III archtester

2021-08-24 20:23:32 UTC

(In reply to Anthony Basile from comment #9)
> (In reply to Agostino Sarubbo from comment #8)
> > amd64 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please vote.
> 
> the vulnerable version is off the tree

Thanks!

Comment 11 NATTkA bot gentoo-dev

2021-09-22 15:28:29 UTC

Unable to check for sanity:

> no match for package: net-vpn/tor-0.4.5.10

Comment 12 Anthony Basile gentoo-dev

2021-09-22 15:29:41 UTC

(In reply to NATTkA bot from comment #11)
> Unable to check for sanity:
> 
> > no match for package: net-vpn/tor-0.4.5.10

I've dropped 0.4.5.10 from the tree.  There's no reason to keep it with 0.4.6.7.

Comment 13 John Helmert III archtester

2023-01-27 05:52:19 UTC

GLSA request filed

Comment 14 Larry the Git Cow gentoo-dev

2023-05-03 09:54:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=464847c4e70c07cfb07a8715f613e418da18698e

commit 464847c4e70c07cfb07a8715f613e418da18698e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:53:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:23 +0000

    [ GLSA 202305-11 ] Tor: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/808681
    Bug: https://bugs.gentoo.org/852821
    Bug: https://bugs.gentoo.org/890618
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-11.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)