[arch-security] [ASA-201706-13] tor: denial of service

[Levente Polyak]

Arch Linux Security Advisory ASA-201706-13
==========================================

Severity: Medium
Date    : 2017-06-13
CVE-ID  : CVE-2017-0375 CVE-2017-0376
Package : tor
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-296

Summary
=======

The package tor before version 0.3.0.8-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.3.0.8-1.

# pacman -Syu "tor>=0.3.0.8-1"

The problems have been fixed upstream in version 0.3.0.8.

Workaround
==========

None.

Description
===========

- CVE-2017-0375 (denial of service)

The hidden-service feature in Tor before 0.3.0.8 allows a denial of
service (assertion failure and daemon exit) in the
relay_send_end_cell_from_edge_ function via a malformed BEGIN cell.

- CVE-2017-0376 (denial of service)

The hidden-service feature in Tor before 0.3.0.8 allows a denial of
service (assertion failure and daemon exit) in the
connection_edge_process_relay_cell function via a BEGIN_DIR cell on a
rendezvous circuit.

Impact
======

A remote attacker is able to send specially crafted input to the
hidden-service feature of tor to crash the application.

References
==========

https://bugs.archlinux.org/task/54439
https://lists.torproject.org/pipermail/tor-announce/2017-June/000131.html
https://trac.torproject.org/projects/tor/ticket/22493
https://github.com/torproject/tor/commit/79b59a2dfcb68897ee89d98587d09e55f07e68d7
https://trac.torproject.org/projects/tor/ticket/22494
https://github.com/torproject/tor/commit/56a7c5bc15e0447203a491c1ee37de9939ad1dcd
https://security.archlinux.org/CVE-2017-0375
https://security.archlinux.org/CVE-2017-0376

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170614/eb6da35b/attachment.asc>