Ubuntu
tor package

<tor-0.2.2.38 : Multiple vulnerabilites

  1. Precise (12.04)
  2. Bug #1039560
Bug #1039560 reported by Karma Dorje
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Low
tor (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

Tor upstream has recently released v0.2.2.38 version, correcting three
security flaws:

1) tor: Read from freed memory and double free by processing failed DNS request
   Upstream ticket:
   [1] https://trac.torproject.org/projects/tor/ticket/6480

   Relevant patch:
   [2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c

   References:
   [3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [4] https://bugzilla.novell.com/show_bug.cgi?id=776642
   [5] https://bugzilla.redhat.com/show_bug.cgi?id=849949

2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name
   Upstream ticket:
   [6] https://trac.torproject.org/projects/tor/ticket/6530

   Relevant patches:
   [7] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f
   [8] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546

   References:
   [9] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [10] https://bugzilla.novell.com/show_bug.cgi?id=776642
   Note: No Red Hat bug (Fedora tor versions already updated && EPEL one not affected).

3) tor: Client's relays path information leak
   Upstream ticket:
   [11] https://trac.torproject.org/projects/tor/ticket/6537

   Relevant patches:
   [12] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a
   [13] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b

   References:
   [14] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [15] https://bugzilla.novell.com/show_bug.cgi?id=776642

CVE References

Revision history for this message
In , J-ago (j-ago) wrote :

From oss-security at $URL:

Tor upstream has recently released v0.2.2.38 version, correcting three
security flaws:

1) tor: Read from freed memory and double free by processing failed DNS request
   Upstream ticket:
   [1] https://trac.torproject.org/projects/tor/ticket/6480

   Relevant patch:
   [2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c

   References:
   [3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [4] https://bugzilla.novell.com/show_bug.cgi?id=776642
   [5] https://bugzilla.redhat.com/show_bug.cgi?id=849949

2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name
   Upstream ticket:
   [6] https://trac.torproject.org/projects/tor/ticket/6530

   Relevant patches:
   [7] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f
   [8] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546

   References:
   [9] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [10] https://bugzilla.novell.com/show_bug.cgi?id=776642
   Note: No Red Hat bug (Fedora tor versions already updated && EPEL one not affected).

3) tor: Client's relays path information leak
   Upstream ticket:
   [11] https://trac.torproject.org/projects/tor/ticket/6537

   Relevant patches:
   [12] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a
   [13] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b

   References:
   [14] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
   [15] https://bugzilla.novell.com/show_bug.cgi?id=776642

Revision history for this message
In , J-ago (j-ago) wrote :

@blueness, can 0.2.2.38 go to stable?

Revision history for this message
In , Blueness (blueness) wrote :

(In reply to comment #1)
> @blueness, can 0.2.2.38 go to stable?

Yes.

Revision history for this message
In , Underling (underling) wrote :

(In reply to comment #2)
> (In reply to comment #1)
> > @blueness, can 0.2.2.38 go to stable?
>
> Yes.

Thank you.

Arches, please test and mark stable:
=net-misc/tor-0.2.2.38
Target keywords : "amd64 arm ppc ppc64 sparc x86"

Karma Dorje (taaroa)
tags: added: upgrade-software-version
Revision history for this message
In , J-ago (j-ago) wrote :

x86 stable

Revision history for this message
In , J-ago (j-ago) wrote :

amd64 stable

Revision history for this message
In , Blueness (blueness) wrote :

Stable arm ppc ppc64

Karma Dorje (taaroa)
Changed in tor (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in gentoo:
importance: Unknown → Low
Revision history for this message
In , Raúl Porcel (armin76) wrote :

sparc stable

Revision history for this message
In , Underling (underling) wrote :

Thanks, folks. GLSA Vote: yes.

Revision history for this message
In , Glsamaker (glsamaker) wrote :

CVE-2012-3519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519):
  routerlist.c in Tor before 0.2.2.38 uses a different amount of time for
  relay-list iteration depending on which relay is chosen, which might allow
  remote attackers to obtain sensitive information about relay selection via a
  timing side-channel attack.

CVE-2012-3518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518):
  The networkstatus_parse_vote_from_string function in routerparse.c in Tor
  before 0.2.2.38 does not properly handle an invalid flavor name, which
  allows remote attackers to cause a denial of service (out-of-bounds read and
  daemon crash) via a crafted (1) vote document or (2) consensus document.

CVE-2012-3517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517):
  Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow
  remote attackers to cause a denial of service (daemon crash) via vectors
  related to failed DNS requests.

Jamie Strandboge (jdstrand)
Changed in tor (Ubuntu Precise):
status: New → Confirmed
status: Confirmed → Triaged
Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This bug was fixed in the package tor - 0.2.3.22-rc-1

---------------
tor (0.2.3.22-rc-1) unstable; urgency=high

  [ Peter Palfrader ]
  * New upstream version:
    - Fix an assertion failure in tor_timegm() that could be triggered
      by a badly formatted directory object. Bug found by fuzzing with
      Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.

  [ Stefano Zacchiroli ]
  * README.privoxy, README.polipo: explicitly set socks type to socks5.

 -- Peter Palfrader <email address hidden> Tue, 11 Sep 2012 22:41:41 +0200

tor (0.2.3.21-rc-1) unstable; urgency=low

  * New upstream version, changes including:
    - Tear down the circuit if we get an unexpected SENDME cell. Clients
      could use this trick to make their circuits receive cells faster
      than our flow control would have allowed, or to gum up the network,
      or possibly to do targeted memory denial-of-service attacks on
      entry nodes.
    - Reject any attempt to extend to an internal address. Without
      this fix, a router could be used to probe addresses on an internal
      network to see whether they were accepting connections.
    - Do not crash when comparing an address with port value 0 to an
      address policy.
    For details please see the upstream changelog.

 -- Peter Palfrader <email address hidden> Fri, 07 Sep 2012 12:25:17 +0200

Changed in tor (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
In , Ackle (ackle) wrote :

GLSA vote: yes.

GLSA request filed.

Revision history for this message
In , Glsamaker (glsamaker) wrote :

This issue was resolved and addressed in
 GLSA 201301-03 at http://security.gentoo.org/glsa/glsa-201301-03.xml
by GLSA coordinator Sean Amoss (ackle).

Bug Watch Updater (bug-watch-updater)
Changed in gentoo:
status: Unknown → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in tor (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.