Bug 671259 - (CVE-2011-0015, CVE-2011-0016, CVE-2011-0427, CVE-2011-0490, CVE-2011-0491, CVE-2011-0492, CVE-2011-0493) CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-2011-0492 CVE-2011-0493 tor: multiple security flaws fixed in 0.2.1.29
CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-201...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110117,reported=20110117,sou...
: Security
Depends On: 671263
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-20 16:42 EST by Vincent Danen
Modified: 2015-08-19 05:03 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-30 23:13:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-01-20 16:42:21 EST
Tor 0.2.1.29 fixes a number of security flaws, as noted below:

http://blog.torproject.org/blog/tor-02129-released-security-patches
https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog

The specifics of the CVEs are as follows:

* Name: CVE-2011-0015
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly check the amount of compression in zlib-compressed data,
which allows remote attackers to cause a denial of service via a large
compression factor.


* Name: CVE-2011-0016
* Reference: https://trac.torproject.org/projects/tor/ticket/2384
* Reference: https://trac.torproject.org/projects/tor/ticket/2385

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly manage key data in memory, which might allow local users to
obtain sensitive information by leveraging the ability to read memory
that was previously used by a different process.


* Name: CVE-2011-0427

Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.


* Name: CVE-2011-0490
* Reference: https://trac.torproject.org/projects/tor/ticket/2190

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to
Libevent within Libevent log handlers, which might allow remote
attackers to cause a denial of service (daemon crash) via vectors that
trigger certain log messages.


* Name: CVE-2011-0491
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha does not validate a certain size value during memory
allocation, which might allow remote attackers to cause a denial of
service (daemon crash) via unspecified vectors, related to "underflow
errors."


* Name: CVE-2011-0492
* Reference: https://trac.torproject.org/projects/tor/ticket/2326

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote
attackers to cause a denial of service (assertion failure and daemon
exit) via blobs that trigger a certain file size, as demonstrated by
the cached-descriptors.new file.


* Name: CVE-2011-0493
* Reference: https://trac.torproject.org/projects/tor/ticket/2352

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow
remote attackers to cause a denial of service (assertion failure and
daemon exit) via vectors related to malformed router caches and
improper handling of integer values.
Comment 1 Vincent Danen 2011-01-20 16:50:48 EST
Fedora currently has 0.2.1.29 in testing, so once those have hit stable, Fedora is taken care of.

EPEL5 has quite an old version of tor (0.2.1.19) and is vulnerable to these flaws.
Comment 2 Vincent Danen 2011-01-20 16:52:03 EST
Created tor tracking bugs for this issue

Affects: epel-5 [bug 671263]
Comment 4 Vincent Danen 2011-05-16 18:22:56 EDT
Please see bug #705192; we need to update to 0.2.1.30.  Thanks.
Comment 5 Paul Wouters 2013-05-30 23:13:59 EDT
fixed long time ago

Note You need to log in before you can comment on or make changes to this bug.