An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting. =net-vpn/tor-0.3.1.10 is already in tree, please call for stabilization if ready. - Gentoo Security Padawan -
@arches, please stabilize.
(In reply to Aaron Bauman from comment #1) > @arches, please stabilize. KEYWORDS="amd64 arm ppc ppc64 x86"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6fbf3f0c06653c60e94b243f8410b2a202fe4b5 commit d6fbf3f0c06653c60e94b243f8410b2a202fe4b5 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-29 01:10:38 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-29 01:10:38 +0000 net-vpn/tor: amd64 stable Bug: https://bugs.gentoo.org/649698 Package-Manager: Portage-2.3.26, Repoman-2.3.7 net-vpn/tor/tor-0.3.1.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
arm stable
FAIL: src/test/test_bt.sh on ppc (see bug #653098)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=351ec55cfdad8f6632820f0faa5180c8dee6c0f6 commit 351ec55cfdad8f6632820f0faa5180c8dee6c0f6 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-15 19:48:24 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-15 19:48:24 +0000 net-vpn/tor: stable 0.3.1.10 for ppc64, bug #649698 Bug: https://bugs.gentoo.org/649698 Package-Manager: Portage-2.3.28, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" net-vpn/tor/tor-0.3.1.10.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
(In reply to ernsteiswuerfel from comment #6) > FAIL: src/test/test_bt.sh on ppc (see bug #653098) i've masked tests on ppc resolving bug #653098. i've stabilized on ppc. @security - all arches are stable and the vulnerable versions are off the tree.
GLSA Vote: No