[3.7] tor: Multiple vulnerabilities (CVE-2017-8819, CVE-2017-8820, CVE-2017-8821, CVE-2017-8822, CVE-2017-8823)
CVE-2017-8819
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the
replay-cache protection mechanism is ineffective
for v2 onion services, aka TROVE-2017-009. An attacker can send many
INTRODUCE2 cells to trigger this issue.
CVE-2017-8820
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote
attackers can cause a denial of service
(NULL pointer dereference and application crash) against directory
authorities via a malformed descriptor, aka TROVE-2017-010.
CVE-2017-8821
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an
attacker can cause a denial of service
(application hang) via crafted PEM input that signifies a public key
requiring a password, which triggers an attempt by the OpenSSL library
to ask the user for the password, aka TROVE-2017-011.
CVE-2017-8822
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays
(that have incompletely downloaded descriptors)
can pick themselves in a circuit path, leading to a degradation of
anonymity, aka TROVE-2017-012.
CVE-2017-8823
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there
is a use-after-free in onion service v2 during
intro-point expiration because the expiring list is mismanaged in
certain error cases, aka TROVE-2017-013.
References:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
(from redmine: issue id 8247, created on 2017-12-05, closed on 2017-12-07)
- Relations:
- parent #8245 (closed)
- Changesets:
- Revision aa584109 by Natanael Copa on 2017-12-07T09:51:22Z:
community/tor: security upgrade to 0.3.1.9
CVE-2017-8819 TROVE-2017-009: Replay-cache ineffective for v2 onion services
CVE-2017-8820 TROVE-2017-010: Remote DoS attack against directory authorities
CVE-2017-8821 TROVE-2017-011: An attacker can make Tor ask for a password
CVE-2017-8822 TROVE-2017-012: Relays can pick themselves in a circuit path
CVE-2017-8823 TROVE-2017-013: Use-after-free in onion service v2
fixes #8247