Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 932748 (TROVE-2024-003, TROVE-2024-004) - <net-p2p/arti-1.2.3: multiple vulnerabilities
Summary: <net-p2p/arti-1.2.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: TROVE-2024-003, TROVE-2024-004
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://blog.torproject.org/arti_1_2_...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-25 19:27 UTC by John Helmert III
Modified: 2024-05-25 20:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-05-25 19:27:08 UTC 
"These vulnerabilities affect the crate tor-circmgr 0.18.0, released along with Arti version 1.2.2. They are fixed in tor-circmgr 0.18.1. (Fixes will also appear in Arti version 1.2.4, to be released on our regular schedule at the start of June.)

[...]

Both issues affect circuit construction when vanguards are enabled, and affect the length.

First, when building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few. This makes users of this code more vulnerable to some kinds of traffic analysis when they run or visit onion services. This bug is tracked as issue #1409, and as TROVE-2024-003. Its severity is "high".

Second, when 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services. This issue is tracked as issue #1400, and as TROVE-2024-004. Its severity is "medium"."
Comment 2 Larry the Git Cow gentoo-dev 2024-05-25 20:25:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562486960f4f9b4c03263f2d99e148f45654b62a

commit 562486960f4f9b4c03263f2d99e148f45654b62a
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-05-25 20:24:36 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-05-25 20:24:36 +0000

    net-p2p/arti: drop 1.2.0, 1.2.1, 1.2.2
    
    Bug: https://bugs.gentoo.org/932748
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-p2p/arti/Manifest          | 166 ------------
 net-p2p/arti/arti-1.2.0.ebuild | 599 ----------------------------------------
 net-p2p/arti/arti-1.2.1.ebuild | 602 -----------------------------------------
 net-p2p/arti/arti-1.2.2.ebuild | 602 -----------------------------------------
 4 files changed, 1969 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50e476735a7bd311be61bbb612d6a88054996c2c

commit 50e476735a7bd311be61bbb612d6a88054996c2c
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-05-25 20:24:01 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-05-25 20:24:01 +0000

    net-p2p/arti: add 1.2.3
    
    Bug: https://bugs.gentoo.org/932748
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-p2p/arti/Manifest          |   1 +
 net-p2p/arti/arti-1.2.3.ebuild | 602 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 603 insertions(+)