Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 545940 (CVE-2015-2928)

Summary: <net-misc/tor-{0.2.5.12,0.2.6.7}: multiple DoS (CVE-2015-{2928,2929})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, x86-fbsd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.torproject.org/pipermail/tor-announce/2015-April/000099.html
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-04-08 09:50:50 UTC
From ${URL} :

Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by
an attacker to crash hidden services, or crash clients visiting hidden
services. Hidden services should upgrade as soon as possible; clients
should upgrade whenever packages become available.

These releases also contain two simple improvements to make hidden
services a bit less vulnerable to denial-of-service attacks.

We also made a Tor 0.2.4.27 release so that Debian stable can easily
integrate these fixes.

The Tor Browser team is currently evaluating whether to put out a new
Tor Browser stable release with these fixes, or wait until next week
for their scheduled next stable release.

Changes in version 0.2.5.12 - 2015-04-06
  o Major bugfixes (security, hidden service):
    - Fix an issue that would allow a malicious client to trigger an
      assertion failure and halt a hidden service. Fixes bug 15600;
      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    - Fix a bug that could cause a client to crash with an assertion
      failure when parsing a malformed hidden service descriptor. Fixes
      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

  o Minor features (DoS-resistance, hidden service):
    - Introduction points no longer allow multiple INTRODUCE1 cells to
      arrive on the same circuit. This should make it more expensive for
      attackers to overwhelm hidden services with introductions.
      Resolves ticket 15515.


Changes in version 0.2.6.7 - 2015-04-06
  o Major bugfixes (security, hidden service):
    - Fix an issue that would allow a malicious client to trigger an
      assertion failure and halt a hidden service. Fixes bug 15600;
      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    - Fix a bug that could cause a client to crash with an assertion
      failure when parsing a malformed hidden service descriptor. Fixes
      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

  o Minor features (DoS-resistance, hidden service):
    - Introduction points no longer allow multiple INTRODUCE1 cells to
      arrive on the same circuit. This should make it more expensive for
      attackers to overwhelm hidden services with introductions.
      Resolves ticket 15515.
    - Decrease the amount of reattempts that a hidden service performs
      when its rendezvous circuits fail. This reduces the computational
      cost for running a hidden service under heavy load. Resolves
      ticket 11447.



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2015-04-08 12:20:21 UTC
0.2.5.12 and 0.2.6.7 are both in the tree.  They are ready for stabilization:

KEYWORDS="amd64 arm ppc ppc64 sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2015-04-09 07:32:38 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-09 07:33:27 UTC
x86 stable
Comment 4 Anthony Basile gentoo-dev 2015-04-09 10:50:19 UTC
(In reply to Agostino Sarubbo from comment #2)
> amd64 stable

We should stabilize both 0.2.5.12 and 0.2.6.7.  The latter depends on =app-crypt/libscrypt-1.20.
Comment 5 Anthony Basile gentoo-dev 2015-04-09 17:05:59 UTC
I'm dropping keywords on the unstable version where possible.  Here's where we're at right now:

Keywords for net-misc/tor:
            |                             | u   |  
            | a a   a           p     s   | n   |  
            | l m   r h i m m   p s   p   | u s | r
            | p d a m p a 6 i p c 3   a x | s l | e
            | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p
            | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o
------------+-----------------------------+-----+-------
[I]0.2.5.11 | o o o o o o o o o o o o + o | o 0 | gentoo
   0.2.5.12 | o + + o o o o ~ + + o o ~ + | o   | gentoo
    0.2.6.7 | o ~ + o o o o ~ + + o o o ~ | o   | gentoo


Note: we should also keyword 0.2.6.7 for sparc and x86-fbsd.  This will allows us to eventually drop the 0.2.5 branch altogether.
Comment 6 Agostino Sarubbo gentoo-dev 2015-04-10 09:51:33 UTC
Stable for amd64/x86/sparc
Comment 7 Agostino Sarubbo gentoo-dev 2015-04-10 09:53:55 UTC
Stable for amd64/x86/sparc
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-11 17:52:54 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:21:32 UTC
YES too, request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-07-05 21:51:52 UTC
CVE-2015-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2929):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  Allows a malicious client to trigger an assertion failure and halt a hidden
  service.
  Could cause a client to crash with an assertion failure when parsing a
  malformed hidden service descriptor.

CVE-2015-2928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2928):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  Allows a malicious client to trigger an assertion failure and halt a hidden
  service.
  Could cause a client to crash with an assertion failure when parsing a
  malformed hidden service descriptor.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-07-06 19:05:25 UTC
This issue was resolved and addressed in
 GLSA 201507-02 at https://security.gentoo.org/glsa/201507-02
by GLSA coordinator Kristian Fiskerstrand (K_F).