Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808681 (CVE-2021-38385, TROVE-2021-007) - <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)
Summary: <net-vpn/tor-{0.4.5.10, 0.4.6.7}: Denial of service (CVE-2021-38385)
Status: IN_PROGRESS
Alias: CVE-2021-38385, TROVE-2021-007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.torproject.org/pipermai...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-17 04:49 UTC by Sam James
Modified: 2021-09-22 15:29 UTC (History)
1 user (show)

See Also:
Package list:
net-vpn/tor-0.4.5.10 net-vpn/tor-0.4.6.7
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-08-17 04:49:11 UTC
See https://lists.torproject.org/pipermail/tor-packagers/2021-August/000128.html.

Description:
"
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
"

Releases (for us): 0.4.5.10, 0.4.6.7. Please bump, thanks!
Comment 1 Anthony Basile gentoo-dev 2021-08-17 14:03:53 UTC
These are in the tree now.  Tor is very good about pushing out working products, so let's go ahead and stabilize.
Comment 2 Sam James archtester gentoo-dev Security 2021-08-17 14:20:59 UTC
(In reply to Anthony Basile from comment #1)
> These are in the tree now.  Tor is very good about pushing out working
> products, so let's go ahead and stabilize.

Thanks!
Comment 3 Sam James archtester gentoo-dev Security 2021-08-17 21:38:24 UTC
ppc done
Comment 4 Sam James archtester gentoo-dev Security 2021-08-17 21:38:32 UTC
ppc64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-08-18 01:41:13 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-08-18 01:45:52 UTC
x86 done
Comment 7 Sam James archtester gentoo-dev Security 2021-08-19 01:06:14 UTC
arm64 done
Comment 8 Agostino Sarubbo gentoo-dev 2021-08-19 01:26:33 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Anthony Basile gentoo-dev 2021-08-24 20:18:57 UTC
(In reply to Agostino Sarubbo from comment #8)
> amd64 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

the vulnerable version is off the tree
Comment 10 John Helmert III gentoo-dev Security 2021-08-24 20:23:32 UTC
(In reply to Anthony Basile from comment #9)
> (In reply to Agostino Sarubbo from comment #8)
> > amd64 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please vote.
> 
> the vulnerable version is off the tree

Thanks!
Comment 11 NATTkA bot gentoo-dev 2021-09-22 15:28:29 UTC
Unable to check for sanity:

> no match for package: net-vpn/tor-0.4.5.10
Comment 12 Anthony Basile gentoo-dev 2021-09-22 15:29:41 UTC
(In reply to NATTkA bot from comment #11)
> Unable to check for sanity:
> 
> > no match for package: net-vpn/tor-0.4.5.10

I've dropped 0.4.5.10 from the tree.  There's no reason to keep it with 0.4.6.7.