Bug 545940 (CVE-2015-2928)

Summary:	<net-misc/tor-{0.2.5.12,0.2.6.7}: multiple DoS (CVE-2015-{2928,2929})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	blueness, x86-fbsd+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.torproject.org/pipermail/tor-announce/2015-April/000099.html
Whiteboard:	B3 [glsa cve]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2015-04-08 09:50:50 UTC

From ${URL} :

Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by
an attacker to crash hidden services, or crash clients visiting hidden
services. Hidden services should upgrade as soon as possible; clients
should upgrade whenever packages become available.

These releases also contain two simple improvements to make hidden
services a bit less vulnerable to denial-of-service attacks.

We also made a Tor 0.2.4.27 release so that Debian stable can easily
integrate these fixes.

The Tor Browser team is currently evaluating whether to put out a new
Tor Browser stable release with these fixes, or wait until next week
for their scheduled next stable release.

Changes in version 0.2.5.12 - 2015-04-06
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

Changes in version 0.2.6.7 - 2015-04-06
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
- Decrease the amount of reattempts that a hidden service performs
when its rendezvous circuits fail. This reduces the computational
cost for running a hidden service under heavy load. Resolves
ticket 11447.

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Anthony Basile gentoo-dev

2015-04-08 12:20:21 UTC

0.2.5.12 and 0.2.6.7 are both in the tree.  They are ready for stabilization:

KEYWORDS="amd64 arm ppc ppc64 sparc x86"

Comment 2 Agostino Sarubbo gentoo-dev

2015-04-09 07:32:38 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2015-04-09 07:33:27 UTC

x86 stable

Comment 4 Anthony Basile gentoo-dev

2015-04-09 10:50:19 UTC

(In reply to Agostino Sarubbo from comment #2)
> amd64 stable

We should stabilize both 0.2.5.12 and 0.2.6.7.  The latter depends on =app-crypt/libscrypt-1.20.

Comment 5 Anthony Basile gentoo-dev

2015-04-09 17:05:59 UTC

I'm dropping keywords on the unstable version where possible.  Here's where we're at right now:

Keywords for net-misc/tor:
            |                             | u   |  
            | a a   a           p     s   | n   |  
            | l m   r h i m m   p s   p   | u s | r
            | p d a m p a 6 i p c 3   a x | s l | e
            | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p
            | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o
------------+-----------------------------+-----+-------
[I]0.2.5.11 | o o o o o o o o o o o o + o | o 0 | gentoo
   0.2.5.12 | o + + o o o o ~ + + o o ~ + | o   | gentoo
    0.2.6.7 | o ~ + o o o o ~ + + o o o ~ | o   | gentoo


Note: we should also keyword 0.2.6.7 for sparc and x86-fbsd.  This will allows us to eventually drop the 0.2.5 branch altogether.

Comment 6 Agostino Sarubbo gentoo-dev

2015-04-10 09:51:33 UTC

Stable for amd64/x86/sparc

Comment 7 Agostino Sarubbo gentoo-dev

2015-04-10 09:53:55 UTC

Stable for amd64/x86/sparc

Comment 8 Yury German Gentoo Infrastructure

2015-04-11 17:52:54 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2015-06-30 22:21:32 UTC

YES too, request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2015-07-05 21:51:52 UTC

CVE-2015-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2929):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  Allows a malicious client to trigger an assertion failure and halt a hidden
  service.
  Could cause a client to crash with an assertion failure when parsing a
  malformed hidden service descriptor.

CVE-2015-2928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2928):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  Allows a malicious client to trigger an assertion failure and halt a hidden
  service.
  Could cause a client to crash with an assertion failure when parsing a
  malformed hidden service descriptor.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2015-07-06 19:05:25 UTC

This issue was resolved and addressed in
 GLSA 201507-02 at https://security.gentoo.org/glsa/201507-02
by GLSA coordinator Kristian Fiskerstrand (K_F).