Re: CVE request: tor

["Steven M. Christey" <coley () rcf-smtp mitre org>]

On Tue, 18 Jan 2011, Josh Bressers wrote:

> ----- Original Message -----
> > Hi,
> >
> > Tor 0.2.1.29 fixes three security issues:
> > http://archives.seul.org/or/announce/Jan-2011/msg00000.html
> >
> > While the first already has a CVE ID listed, two more are
> > still needed.
>
> Here you go:
> CVE-2011-0015 Tor zlib DoS
> CVE-2011-0016 Tor keys not zeroed in memory


The advisory above also has a section on crashes which the Tor developers 
"think are hard to exploit remotely," but still (most likely) qualify for 
CVE inclusion.

CVE-2011-0490 - libevent
CVE-2011-0491 - tor_realloc crash / "underflow errors"
CVE-2011-0492 - assertion failure on specific file sizes
CVE-2011-0493 - assertion failure / malformed router caches


- Steve


======================================================
Name: CVE-2011-0490
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0490
Reference: MLIST:[or-announce] 20110117 Tor 0.2.1.29 is released (security patches)
Reference: URL:http://archives.seul.org/or/announce/Jan-2011/msg00000.html
Reference: CONFIRM:http://blog.torproject.org/blog/tor-02129-released-security-patches
Reference: CONFIRM:https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog
Reference: CONFIRM:https://trac.torproject.org/projects/tor/ticket/2190

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to
Libevent within Libevent log handlers, which might allow remote
attackers to cause a denial of service (daemon crash) via vectors that
trigger certain log messages.


======================================================
Name: CVE-2011-0491
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0491
Reference: MLIST:[or-announce] 20110117 Tor 0.2.1.29 is released (security patches)
Reference: URL:http://archives.seul.org/or/announce/Jan-2011/msg00000.html
Reference: CONFIRM:http://blog.torproject.org/blog/tor-02129-released-security-patches
Reference: CONFIRM:https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog
Reference: CONFIRM:https://trac.torproject.org/projects/tor/ticket/2324

The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha does not validate a certain size value during memory
allocation, which might allow remote attackers to cause a denial of
service (daemon crash) via unspecified vectors, related to "underflow
errors."


======================================================
Name: CVE-2011-0492
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0492
Reference: MLIST:[or-announce] 20110117 Tor 0.2.1.29 is released (security patches)
Reference: URL:http://archives.seul.org/or/announce/Jan-2011/msg00000.html
Reference: CONFIRM:http://blog.torproject.org/blog/tor-02129-released-security-patches
Reference: CONFIRM:https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog
Reference: CONFIRM:https://trac.torproject.org/projects/tor/ticket/2326

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote
attackers to cause a denial of service (assertion failure and daemon
exit) via blobs that trigger a certain file size, as demonstrated by
the cached-descriptors.new file.


======================================================
Name: CVE-2011-0493
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0493
Reference: MLIST:[or-announce] 20110117 Tor 0.2.1.29 is released (security patches)
Reference: URL:http://archives.seul.org/or/announce/Jan-2011/msg00000.html
Reference: CONFIRM:http://blog.torproject.org/blog/tor-02129-released-security-patches
Reference: CONFIRM:https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog
Reference: CONFIRM:https://trac.torproject.org/projects/tor/ticket/2352

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow
remote attackers to cause a denial of service (assertion failure and
daemon exit) via vectors related to malformed router caches and
improper handling of integer values.