Bug 671259 (CVE-2011-0015, CVE-2011-0016, CVE-2011-0427, CVE-2011-0490, CVE-2011-0491, CVE-2011-0492, CVE-2011-0493) - CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-2011-0492 CVE-2011-0493 tor: multiple security flaws fixed in 0.2.1.29
Summary: CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-201...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2011-0015, CVE-2011-0016, CVE-2011-0427, CVE-2011-0490, CVE-2011-0491, CVE-2011-0492, CVE-2011-0493
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 671263
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-20 21:42 UTC by Vincent Danen
Modified: 2019-09-29 12:42 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-31 03:13:59 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2011-01-20 21:42:21 UTC
Tor 0.2.1.29 fixes a number of security flaws, as noted below:

http://blog.torproject.org/blog/tor-02129-released-security-patches
https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog

The specifics of the CVEs are as follows:

* Name: CVE-2011-0015
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly check the amount of compression in zlib-compressed data,
which allows remote attackers to cause a denial of service via a large
compression factor.


* Name: CVE-2011-0016
* Reference: https://trac.torproject.org/projects/tor/ticket/2384
* Reference: https://trac.torproject.org/projects/tor/ticket/2385

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not
properly manage key data in memory, which might allow local users to
obtain sensitive information by leveraging the ability to read memory
that was previously used by a different process.


* Name: CVE-2011-0427

Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.


* Name: CVE-2011-0490
* Reference: https://trac.torproject.org/projects/tor/ticket/2190

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to
Libevent within Libevent log handlers, which might allow remote
attackers to cause a denial of service (daemon crash) via vectors that
trigger certain log messages.


* Name: CVE-2011-0491
* Reference: https://trac.torproject.org/projects/tor/ticket/2324

The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before
0.2.2.21-alpha does not validate a certain size value during memory
allocation, which might allow remote attackers to cause a denial of
service (daemon crash) via unspecified vectors, related to "underflow
errors."


* Name: CVE-2011-0492
* Reference: https://trac.torproject.org/projects/tor/ticket/2326

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote
attackers to cause a denial of service (assertion failure and daemon
exit) via blobs that trigger a certain file size, as demonstrated by
the cached-descriptors.new file.


* Name: CVE-2011-0493
* Reference: https://trac.torproject.org/projects/tor/ticket/2352

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow
remote attackers to cause a denial of service (assertion failure and
daemon exit) via vectors related to malformed router caches and
improper handling of integer values.

Comment 1 Vincent Danen 2011-01-20 21:50:48 UTC
Fedora currently has 0.2.1.29 in testing, so once those have hit stable, Fedora is taken care of.

EPEL5 has quite an old version of tor (0.2.1.19) and is vulnerable to these flaws.

Comment 2 Vincent Danen 2011-01-20 21:52:03 UTC
Created tor tracking bugs for this issue

Affects: epel-5 [bug 671263]

Comment 4 Vincent Danen 2011-05-16 22:22:56 UTC
Please see bug #705192; we need to update to 0.2.1.30.  Thanks.

Comment 5 Paul Wouters 2013-05-31 03:13:59 UTC
fixed long time ago


Note You need to log in before you can comment on or make changes to this bug.