Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 795969 (CVE-2021-34548, CVE-2021-34549, CVE-2021-34550, TROVE-2021-004, TROVE-2021-005, TROVE-2021-006) - <net-vpn/tor-{0.4.4.9, 0.4.5.9, 0.4.6.5}: Multiple vulnerabilities (CVE-2021-{34548,34549,34550})
Summary: <net-vpn/tor-{0.4.4.9, 0.4.5.9, 0.4.6.5}: Multiple vulnerabilities (CVE-2021-...
Status: RESOLVED FIXED
Alias: CVE-2021-34548, CVE-2021-34549, CVE-2021-34550, TROVE-2021-004, TROVE-2021-005, TROVE-2021-006
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-14 15:34 UTC by Sam James
Modified: 2021-07-26 03:40 UTC (History)
1 user (show)

See Also:
Package list:
net-vpn/tor-0.4.5.9-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-06-14 15:34:26 UTC
Also of note:
   * The 0.4.6.5 release is the first stable release in its series.
   * Tomorrow is end-of-life for the 0.4.4.x series; there will be no more 0.4.4.x releases after today.
  
For information about how long each series will be supported, see https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorReleases .

The security issues are as follows.  My recommendation is that nobody should freak out, but everybody should upgrade.

  o Major bugfixes (security):
    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
      half-closed streams. Previously, clients failed to validate which
      hop sent these cells: this would allow a relay on a circuit to end
      a stream that wasn't actually built with it. Fixes bug 40389;
      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
      003 and CVE-2021-34548.

  o Major bugfixes (security, defense-in-depth):
    - Detect more failure conditions from the OpenSSL RNG code.
      Previously, we would detect errors from a missing RNG
      implementation, but not failures from the RNG code itself.
      Fortunately, it appears those failures do not happen in practice
      when Tor is using OpenSSL's default RNG implementation. Fixes bug
      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

  o Major bugfixes (security, denial of service):
    - Resist a hashtable-based CPU denial-of-service attack against
      relays. Previously we used a naive unkeyed hash function to look
      up circuits in a circuitmux object. An attacker could exploit this
      to construct circuits with chosen circuit IDs, to create
      collisions and make the hash table inefficient. Now we use a
      SipHash construction here instead. Fixes bug 40391; bugfix on
      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
    - Fix an out-of-bounds memory access in v3 onion service descriptor
      parsing. An attacker could exploit this bug by crafting an onion
      service descriptor that would crash any client that tried to visit
      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
      Glazunov from Google's Project Zero.
Comment 1 Larry the Git Cow gentoo-dev 2021-06-14 16:11:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d57a3b5a9229c29102731cfc5f2686219eb4c7a4

commit d57a3b5a9229c29102731cfc5f2686219eb4c7a4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-14 16:10:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-14 16:11:23 +0000

    net-vpn/tor: add 0.4.6.5
    
    Bug: https://bugs.gentoo.org/795969
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest           |   2 +
 net-vpn/tor/tor-0.4.6.5.ebuild | 108 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 110 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a62358eb0bef0702ce8174ff1c724871446f9b

commit f1a62358eb0bef0702ce8174ff1c724871446f9b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-14 16:10:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-14 16:11:22 +0000

    net-vpn/tor: add 0.4.5.9
    
    Bug: https://bugs.gentoo.org/795969
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest           |  2 +
 net-vpn/tor/tor-0.4.5.9.ebuild | 95 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b50e42bbe4e5b043d81f39bb81363d207f9f727

commit 0b50e42bbe4e5b043d81f39bb81363d207f9f727
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-14 16:10:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-14 16:11:21 +0000

    net-vpn/tor: add 0.4.4.9
    
    Bug: https://bugs.gentoo.org/795969
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest           |   2 +
 net-vpn/tor/tor-0.4.4.9.ebuild | 109 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2021-06-15 23:17:47 UTC
arm64 done
Comment 3 Sam James archtester gentoo-dev Security 2021-06-15 23:17:49 UTC
arm done
Comment 4 Sam James archtester gentoo-dev Security 2021-06-15 23:17:53 UTC
ppc done
Comment 5 Sam James archtester gentoo-dev Security 2021-06-15 23:17:55 UTC
ppc64 done
Comment 6 Agostino Sarubbo gentoo-dev 2021-06-16 06:52:37 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-06-16 06:54:31 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 NATTkA bot gentoo-dev 2021-06-17 22:20:21 UTC
Unable to check for sanity:

> no match for package: net-vpn/tor-0.4.5.9
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:54:45 UTC
This issue was resolved and addressed in
 GLSA 202107-25 at https://security.gentoo.org/glsa/202107-25
by GLSA coordinator John Helmert III (ajak).
Comment 10 John Helmert III gentoo-dev Security 2021-07-10 03:15:33 UTC
Reopening for cleanup
Comment 11 Larry the Git Cow gentoo-dev 2021-07-26 03:25:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ece19340e455a495fe963602e5d458089947d34

commit 0ece19340e455a495fe963602e5d458089947d34
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-07-25 20:52:39 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-26 03:12:47 +0000

    net-vpn/tor: drop 0.4.5.7-r1
    
    Bug: https://bugs.gentoo.org/795969
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-vpn/tor/Manifest              |   2 -
 net-vpn/tor/tor-0.4.5.7-r1.ebuild | 109 --------------------------------------
 2 files changed, 111 deletions(-)
Comment 12 John Helmert III gentoo-dev Security 2021-07-26 03:40:29 UTC
All done!