[3.8] tor: Multiple vulnerabilities (CVE-2017-8819, CVE-2017-8820, CVE-2017-8821, CVE-2017-8822, CVE-2017-8823)
CVE-2017-8819
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the
replay-cache protection mechanism is ineffective
for v2 onion services, aka TROVE-2017-009. An attacker can send many
INTRODUCE2 cells to trigger this issue.
CVE-2017-8820
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote
attackers can cause a denial of service
(NULL pointer dereference and application crash) against directory
authorities via a malformed descriptor, aka TROVE-2017-010.
CVE-2017-8821
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an
attacker can cause a denial of service
(application hang) via crafted PEM input that signifies a public key
requiring a password, which triggers an attempt by the OpenSSL library
to ask the user for the password, aka TROVE-2017-011.
CVE-2017-8822
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays
(that have incompletely downloaded descriptors)
can pick themselves in a circuit path, leading to a degradation of
anonymity, aka TROVE-2017-012.
CVE-2017-8823
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9
before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there
is a use-after-free in onion service v2 during
intro-point expiration because the expiring list is mismanaged in
certain error cases, aka TROVE-2017-013.
References:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
(from redmine: issue id 8246, created on 2017-12-05, closed on 2017-12-07)
- Relations:
- parent #8245 (closed)