Bug 849949 - (CVE-2012-3517, CVE-2012-3518, CVE-2012-3519) CVE-2012-3517 tor: Read from freed memory and double free by processing failed DNS request
CVE-2012-3517 tor: Read from freed memory and double free by processing faile...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120819,repor...
: Security
Depends On: 849952
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-21 06:00 EDT by Jan Lieskovsky
Modified: 2013-05-30 23:08 EDT (History)
4 users (show)

See Also:
Fixed In Version: tor 0.2.2.38
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-30 23:08:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-08-21 06:00:45 EDT
A read from already freed memory and double free flaws were found in the way Tor, a connection-based low-latency anonymous communication system, performed processing of certain failing DNS requests. A remote attacker could issue a specially-crafted DNS request that, when processed would lead to tor executable crash.

Upstream ticket:
[1] https://trac.torproject.org/projects/tor/ticket/6480

Relevant patch:
[2] https://gitweb.torproject.org/tor.git/commitdiff/62637fa22405278758febb1743da9af562524d4c

References:
[3] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[4] https://bugzilla.novell.com/show_bug.cgi?id=776642
Comment 1 Jan Lieskovsky 2012-08-21 06:03:18 EDT
This issue affects the version of the tor package, as shipped with Fedora EPEL 5. Please schedule an update.

--

Tor package versions, shipped in Fedora 16 and Fedora 17 got already updated to upstream 0.2.2.38 version.
Comment 2 Jan Lieskovsky 2012-08-21 06:04:14 EDT
Created tor tracking bugs for this issue

Affects: epel-5 [bug 849952]
Comment 3 Jan Lieskovsky 2012-08-21 06:13:47 EDT
For the other two issues corrected within 0.2.2.38 version:
https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html

2) tor: Unitialized memory read by reading vote or consensus document with unrecognized flavor name
---------------------------------------------------------------------------
Upstream ticket:
[5] https://trac.torproject.org/projects/tor/ticket/6530

Relevant patches:
[6] https://gitweb.torproject.org/tor.git/commitdiff/57e35ad3d91724882c345ac709666a551a977f0f
[7] https://gitweb.torproject.org/tor.git/commitdiff/55f635745afacefffdaafc72cc176ca7ab817546

References:
[8] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[9] https://bugzilla.novell.com/show_bug.cgi?id=776642

and

3) tor: Client's relays path information leak
---------------------------------------------
Upstream ticket:
[10] https://trac.torproject.org/projects/tor/ticket/6537

Relevant patches:
[11] https://gitweb.torproject.org/tor.git/commitdiff/308f6dad20675c42b29862f4269ad1fbfb00dc9a
[12] https://gitweb.torproject.org/tor.git/commitdiff/d48cebc5e498b0ae673635f40fc57cdddab45d5b

References:
[13] https://lists.torproject.org/pipermail/tor-announce/2012-August/000086.html
[14] https://bugzilla.novell.com/show_bug.cgi?id=776642

Relevant patches are not applicable to the source code base for tor package version, as shipped with Fedora EPEL 5 yet (it is not affected by 2) and 3) flaws). The 2) and 3) flaws are also already corrected in Fedora 16 and Fedora 17 tor package versions.
Comment 4 Jan Lieskovsky 2012-08-21 06:14:31 EDT
CVE request:
http://www.openwall.com/lists/oss-security/2012/08/21/3
Comment 6 Kurt Seifried 2012-08-26 21:48:19 EDT
Added additional CVEs

http://www.openwall.com/lists/oss-security/2012/08/21/6
Comment 7 Fedora Update System 2012-09-23 23:21:23 EDT
tor-0.2.2.39-1800.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-02-03 08:38:43 EST
tor-0.2.2.39-1700.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.