Bug 671259 (CVE-2011-0015, CVE-2011-0016, CVE-2011-0427, CVE-2011-0490, CVE-2011-0491, CVE-2011-0492, CVE-2011-0493)

Summary: CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-2011-0492 CVE-2011-0493 tor: multiple security flaws fixed in 0.2.1.29
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: casmls, cassmodiah, lmacken, michael, pwouters, rcvalle, rh-bugzilla, tremble, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-31 03:13:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 671263    
Bug Blocks:    

Description Vincent Danen 2011-01-20 21:42:21 UTC
Tor 0.2.1.29 fixes a number of security flaws, as noted below:

http://blog.torproject.org/blog/tor-02129-released-security-patches
https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog

The specifics of the CVEs are as follows:

* Name: CVE-2011-0015
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly check the amount of compression in zlib-compressed data,
which allows remote attackers to cause a denial of service via a large
compression factor.


* Name: CVE-2011-0016
* Reference: https://trac.torproject.org/projects/tor/ticket/2384
* Reference: https://trac.torproject.org/projects/tor/ticket/2385

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly manage key data in memory, which might allow local users to
obtain sensitive information by leveraging the ability to read memory
that was previously used by a different process.


* Name: CVE-2011-0427

Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.


* Name: CVE-2011-0490
* Reference: https://trac.torproject.org/projects/tor/ticket/2190

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to
Libevent within Libevent log handlers, which might allow remote
attackers to cause a denial of service (daemon crash) via vectors that
trigger certain log messages.


* Name: CVE-2011-0491
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha does not validate a certain size value during memory
allocation, which might allow remote attackers to cause a denial of
service (daemon crash) via unspecified vectors, related to "underflow
errors."


* Name: CVE-2011-0492
* Reference: https://trac.torproject.org/projects/tor/ticket/2326

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote
attackers to cause a denial of service (assertion failure and daemon
exit) via blobs that trigger a certain file size, as demonstrated by
the cached-descriptors.new file.


* Name: CVE-2011-0493
* Reference: https://trac.torproject.org/projects/tor/ticket/2352

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow
remote attackers to cause a denial of service (assertion failure and
daemon exit) via vectors related to malformed router caches and
improper handling of integer values.

Comment 1 Vincent Danen 2011-01-20 21:50:48 UTC
Fedora currently has 0.2.1.29 in testing, so once those have hit stable, Fedora is taken care of.

EPEL5 has quite an old version of tor (0.2.1.19) and is vulnerable to these flaws.

Comment 2 Vincent Danen 2011-01-20 21:52:03 UTC
Created tor tracking bugs for this issue

Affects: epel-5 [bug 671263]

Comment 4 Vincent Danen 2011-05-16 22:22:56 UTC
Please see bug #705192; we need to update to 0.2.1.30.  Thanks.

Comment 5 Paul Wouters 2013-05-31 03:13:59 UTC
fixed long time ago