[3.7] tor: Multiple vulnerabilities (CVE-2017-8819, CVE-2017-8820, CVE-2017-8821, CVE-2017-8822, CVE-2017-8823) (#8247) · Issues · alpine / aports

[3.7] tor: Multiple vulnerabilities (CVE-2017-8819, CVE-2017-8820, CVE-2017-8821, CVE-2017-8822, CVE-2017-8823)

CVE-2017-8819

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the replay-cache protection mechanism is ineffective
for v2 onion services, aka TROVE-2017-009. An attacker can send many INTRODUCE2 cells to trigger this issue.

CVE-2017-8820

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service
(NULL pointer dereference and application crash) against directory authorities via a malformed descriptor, aka TROVE-2017-010.

CVE-2017-8821

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service
(application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011.

CVE-2017-8822

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors)
can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

CVE-2017-8823

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there is a use-after-free in onion service v2 during
intro-point expiration because the expiring list is mismanaged in certain error cases, aka TROVE-2017-013.

References:

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516

(from redmine: issue id 8247, created on 2017-12-05, closed on 2017-12-07)

Relations:
- parent #8245 (closed)
Changesets:
- Revision aa584109 by Natanael Copa on 2017-12-07T09:51:22Z:

community/tor: security upgrade to 0.3.1.9

CVE-2017-8819 TROVE-2017-009: Replay-cache ineffective for v2 onion services
CVE-2017-8820 TROVE-2017-010: Remote DoS attack against directory authorities
CVE-2017-8821 TROVE-2017-011: An attacker can make Tor ask for a password
CVE-2017-8822 TROVE-2017-012: Relays can pick themselves in a circuit path
CVE-2017-8823 TROVE-2017-013: Use-after-free in onion service v2

fixes #8247

**CVE-2017-8819**

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the
replay-cache protection mechanism is ineffective  
for v2 onion services, aka TROVE-2017-009. An attacker can send many
INTRODUCE2 cells to trigger this issue.

**CVE-2017-8820**

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote
attackers can cause a denial of service  
(NULL pointer dereference and application crash) against directory
authorities via a malformed descriptor, aka TROVE-2017-010.

**CVE-2017-8821**

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an
attacker can cause a denial of service  
(application hang) via crafted PEM input that signifies a public key
requiring a password, which triggers an attempt by the OpenSSL library
to ask the user for the password, aka TROVE-2017-011.

**CVE-2017-8822**

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays
(that have incompletely downloaded descriptors)  
can pick themselves in a circuit path, leading to a degradation of
anonymity, aka TROVE-2017-012.

**CVE-2017-8823**

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there
is a use-after-free in onion service v2 during  
intro-point expiration because the expiring list is mismanaged in
certain error cases, aka TROVE-2017-013.

### References:

https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516

*(from redmine: issue id 8247, created on 2017-12-05, closed on 2017-12-07)*

* Relations:
  * parent #8245
* Changesets:
  * Revision aa584109baa33cd000b70285d8fa42d0d0c6c586 by Natanael Copa on 2017-12-07T09:51:22Z:

```
community/tor: security upgrade to 0.3.1.9

CVE-2017-8819 TROVE-2017-009: Replay-cache ineffective for v2 onion services
CVE-2017-8820 TROVE-2017-010: Remote DoS attack against directory authorities
CVE-2017-8821 TROVE-2017-011: An attacker can make Tor ask for a password
CVE-2017-8822 TROVE-2017-012: Relays can pick themselves in a circuit path
CVE-2017-8823 TROVE-2017-013: Use-after-free in onion service v2

fixes #8247
```

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.