917142 – (TROVE-2023-006) <net-vpn/tor-0.4.8.9: Denial of service for onion services

Bug 917142 (TROVE-2023-006) - <net-vpn/tor-0.4.8.9: Denial of service for onion services

Summary: <net-vpn/tor-0.4.8.9: Denial of service for onion services

Status:	RESOLVED FIXED

Alias:	TROVE-2023-006

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	922191
Blocks:
	Show dependency tree

Reported:	2023-11-10 21:58 UTC by Sam James
Modified:	2024-09-24 05:17 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.torproject.org/tpo/core/tor/-/issues/40883
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-11-10 21:58:59 UTC

See https://gitlab.torproject.org/tpo/core/tor/-/commit/be751a46e3941d9e6af093a307107db443b2968c. Fixed in 0.4.8.9.

"""
  o Major bugfixes (onion service, TROVE-2023-006):
    - Fix a possible hard assert on a NULL pointer when recording a failed
      rendezvous circuit on the service side for the MetricsPort. Fixes bug
      40883; bugfix on 0.4.8.1-alpha
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-11-11 08:28:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b219dc7626045415543a42224dca905572f3129

commit 2b219dc7626045415543a42224dca905572f3129
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-11-11 08:24:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-11 08:27:32 +0000

    net-vpn/tor: add 0.4.8.9
    
    Bug: https://bugs.gentoo.org/917142
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest           |   3 +
 net-vpn/tor/tor-0.4.8.9.ebuild | 177 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-07-17 05:54:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7102d5944702889c29e3f0a08640c67255f075a4

commit 7102d5944702889c29e3f0a08640c67255f075a4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-17 05:26:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-17 05:53:00 +0000

    net-vpn/tor: drop 0.4.7.13-r1, 0.4.7.16, 0.4.7.16-r1, 0.4.8.10
    
    Bug: https://bugs.gentoo.org/916759
    Bug: https://bugs.gentoo.org/917142
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/tor/Manifest                               |   9 -
 net-vpn/tor/files/tor-0.4.7.13-libressl.patch      | 202 ------------
 net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 ---------------------
 net-vpn/tor/tor-0.4.7.13-r1.ebuild                 | 149 ---------
 net-vpn/tor/tor-0.4.7.16-r1.ebuild                 | 180 -----------
 net-vpn/tor/tor-0.4.7.16.ebuild                    | 167 ----------
 net-vpn/tor/tor-0.4.8.10.ebuild                    | 189 ------------
 7 files changed, 1233 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-09-24 05:16:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=efa55227db2e144cbd8ee1ef7f7b88bb2c0b30e0

commit efa55227db2e144cbd8ee1ef7f7b88bb2c0b30e0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-24 05:15:39 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-24 05:16:12 +0000

    [ GLSA 202409-24 ] Tor: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/916759
    Bug: https://bugs.gentoo.org/917142
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-24.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)