Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432188 (CVE-2012-3517) - <net-misc/tor-0.2.2.38 : Multiple vulnerabilites (CVE-2012-{3517,3518,3519})
Summary: <net-misc/tor-0.2.2.38 : Multiple vulnerabilites (CVE-2012-{3517,3518,3519})
Status: RESOLVED FIXED
Alias: CVE-2012-3517
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-21 12:49 UTC by Agostino Sarubbo
Modified: 2013-01-09 00:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-21 12:49:46 UTC
From oss-security at $URL:

Tor upstream has recently released v0.2.2.38 version, correcting three
security flaws:

1) tor: Read from freed memory and double free by processing failed DNS request
   Upstream ticket:
   [1] https://trac.torproject.org/projects/tor/ticket/6480

   Relevant patch:
   [2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c

   References:
   [3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [4] https://bugzilla.novell.com/show_bug.cgi?id=776642
   [5] https://bugzilla.redhat.com/show_bug.cgi?id=849949

2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name
   Upstream ticket:
   [6] https://trac.torproject.org/projects/tor/ticket/6530

   Relevant patches:
   [7] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f
   [8] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546

   References:
   [9] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [10] https://bugzilla.novell.com/show_bug.cgi?id=776642
   Note: No Red Hat bug (Fedora tor versions already updated && EPEL one not affected).

3) tor: Client's relays path information leak
   Upstream ticket:
   [11] https://trac.torproject.org/projects/tor/ticket/6537

   Relevant patches:
   [12] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a
   [13] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b

   References:
   [14] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [15] https://bugzilla.novell.com/show_bug.cgi?id=776642
Comment 1 Agostino Sarubbo gentoo-dev 2012-08-21 12:51:32 UTC
@blueness, can 0.2.2.38 go to stable?
Comment 2 Anthony Basile gentoo-dev 2012-08-21 13:13:30 UTC
(In reply to comment #1)
> @blueness, can 0.2.2.38 go to stable?

Yes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-08-21 14:38:25 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > @blueness, can 0.2.2.38 go to stable?
> 
> Yes.

Thank you.

Arches, please test and mark stable:
=net-misc/tor-0.2.2.38
Target keywords : "amd64 arm ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-21 14:48:52 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-08-21 15:02:19 UTC
amd64 stable
Comment 6 Anthony Basile gentoo-dev 2012-08-21 20:56:16 UTC
Stable arm ppc ppc64
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-08-26 14:37:13 UTC
sparc stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-08-26 15:10:17 UTC
Thanks, folks. GLSA Vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-08-27 07:49:00 UTC
CVE-2012-3519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519):
  routerlist.c in Tor before 0.2.2.38 uses a different amount of time for
  relay-list iteration depending on which relay is chosen, which might allow
  remote attackers to obtain sensitive information about relay selection via a
  timing side-channel attack.

CVE-2012-3518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518):
  The networkstatus_parse_vote_from_string function in routerparse.c in Tor
  before 0.2.2.38 does not properly handle an invalid flavor name, which
  allows remote attackers to cause a denial of service (out-of-bounds read and
  daemon crash) via a crafted (1) vote document or (2) consensus document.

CVE-2012-3517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517):
  Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow
  remote attackers to cause a denial of service (daemon crash) via vectors
  related to failed DNS requests.
Comment 10 Sean Amoss gentoo-dev Security 2012-09-19 10:39:16 UTC
GLSA vote: yes.

GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:29:36 UTC
This issue was resolved and addressed in
 GLSA 201301-03 at http://security.gentoo.org/glsa/glsa-201301-03.xml
by GLSA coordinator Sean Amoss (ackle).