Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713238 (CVE-2020-10592, CVE-2020-10593) - <net-vpn/tor-{,}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Summary: <net-vpn/tor-{,}: Multiple vulnerabilities (CVE-2020-{10592,10593)
Alias: CVE-2020-10592, CVE-2020-10593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [cleanup glsa+ cve]
Depends on:
Reported: 2020-03-18 16:22 UTC by Sam James (sam_c) (security padawan)
Modified: 2020-03-28 17:31 UTC (History)
1 user (show)

See Also:
Package list:
=net-vpn/tor- =net-vpn/tor-
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sam_c) (security padawan) 2020-03-18 16:22:17 UTC
from tor-packagers:
>New tor releases are tagged and signed, and available at
> .  Please remember to check the

>Here are the changelog links:


>Note that these releases fix several vulnerabilities, including a
>remotely triggerable CPU DoS.  Everybody running older versions should
>upgrade to one of these.  For TROVE and CVE identifiers and more about
>the vulnerabilities, please see the ChangeLogs.

Further miscellaneous details:
>  This is the third stable release in the 0.4.2.x series. It backports
>  numerous fixes from later releases, including a fix for TROVE-2020-
>  002, a major denial-of-service vulnerability that affected all
>  released Tor instances since Using this vulnerability,
>  an attacker could cause Tor instances to consume a huge amount of CPU,
>  disrupting their operations for several seconds or minutes. This
>  attack could be launched by anybody against a relay, or by a directory
>  cache against any client that had connected to it. The attacker could
>  launch this attack as much as they wanted, thereby disrupting service
>  or creating patterns that could aid in traffic analysis. This issue
>  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.


1) CVE-2020-10592

Description from ChangeLog:
o Major bugfixes (security, denial-of-service, backport from
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

2) CVE-2020-10593

Description from ChangeLog:
  o Major bugfixes (circuit padding, memory leak, backport from
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.
Comment 1 Larry the Git Cow gentoo-dev 2020-03-18 16:55:49 UTC
The bug has been referenced in the following commit(s):

commit 13955a3f9dd43e0146b3abf1533dab545f1754e3
Author:     Sam James (sam_c) <>
AuthorDate: 2020-03-18 16:50:23 +0000
Commit:     Anthony G. Basile <>
CommitDate: 2020-03-18 16:54:30 +0000

    net-vpn/tor: Security bump
    Signed-off-by: Sam James (sam_c) <>
    Signed-off-by: Anthony G. Basile <>

 net-vpn/tor/Manifest                 |  3 ++
 net-vpn/tor/tor-       | 88 ++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor-       | 90 +++++++++++++++++++++++++++++++++++
 net-vpn/tor/tor- | 92 ++++++++++++++++++++++++++++++++++++
 4 files changed, 273 insertions(+)
Comment 2 Sam James (sam_c) (security padawan) 2020-03-18 17:02:31 UTC
@maintainer(s): Thanks for being so quick (jinx)! 

Please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Anthony Basile gentoo-dev 2020-03-18 17:26:21 UTC
(In reply to sam_c (Security Padawan) from comment #2)
> @maintainer(s): Thanks for being so quick (jinx)! 
> Please advise if you are ready for stabilization or call for stabilization
> yourself.

Its ready for stabilization:


KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-20 09:02:27 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-20 09:07:09 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-20 11:28:49 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-20 11:30:06 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-21 16:48:42 UTC
arm stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-03-25 15:42:56 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 15:55:39 UTC
This issue was resolved and addressed in
 GLSA 202003-50 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-03-25 15:56:15 UTC
Re-opening for remaining architectures.
Comment 12 Mart Raudsepp gentoo-dev 2020-03-28 10:45:36 UTC
arm64 stable
Comment 13 Sam James (sam_c) (security padawan) 2020-03-28 17:31:27 UTC
@maintainer(s), please cleanup.