Bug 849949 (CVE-2012-3517, CVE-2012-3518, CVE-2012-3519)

Summary: CVE-2012-3517 tor: Read from freed memory and double free by processing failed DNS request
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, lmacken, pwouters, rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: tor Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-31 03:08:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 849952    
Bug Blocks:    

Description Jan Lieskovsky 2012-08-21 10:00:45 UTC
A read from already freed memory and double free flaws were found in the way Tor, a connection-based low-latency anonymous communication system, performed processing of certain failing DNS requests. A remote attacker could issue a specially-crafted DNS request that, when processed would lead to tor executable crash.

Upstream ticket:
[1] https://trac.torproject.org/projects/tor/ticket/6480

Relevant patch:
[2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c

[3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[4] https://bugzilla.novell.com/show_bug.cgi?id=776642

Comment 1 Jan Lieskovsky 2012-08-21 10:03:18 UTC
This issue affects the version of the tor package, as shipped with Fedora EPEL 5. Please schedule an update.


Tor package versions, shipped in Fedora 16 and Fedora 17 got already updated to upstream version.

Comment 2 Jan Lieskovsky 2012-08-21 10:04:14 UTC
Created tor tracking bugs for this issue

Affects: epel-5 [bug 849952]

Comment 3 Jan Lieskovsky 2012-08-21 10:13:47 UTC
For the other two issues corrected within version:

2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name
Upstream ticket:
[5] https://trac.torproject.org/projects/tor/ticket/6530

Relevant patches:
[6] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f
[7] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546

[8] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[9] https://bugzilla.novell.com/show_bug.cgi?id=776642


3) tor: Client's relays path information leak
Upstream ticket:
[10] https://trac.torproject.org/projects/tor/ticket/6537

Relevant patches:
[11] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a
[12] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b

[13] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[14] https://bugzilla.novell.com/show_bug.cgi?id=776642

Relevant patches are not applicable to the source code base for tor package version, as shipped with Fedora EPEL 5 yet (it is not affected by 2) and 3) flaws). The 2) and 3) flaws are also already corrected in Fedora 16 and Fedora 17 tor package versions.

Comment 4 Jan Lieskovsky 2012-08-21 10:14:31 UTC
CVE request:

Comment 6 Kurt Seifried 2012-08-27 01:48:19 UTC
Added additional CVEs


Comment 7 Fedora Update System 2012-09-24 03:21:23 UTC
tor- has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-02-03 13:38:43 UTC
tor- has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.