Arch Linux 811 Published by

A tor security update has been released for Arch Linux.



ASA-202106-50: tor: denial of service


Arch Linux Security Advisory ASA-202106-50
=========================================
Severity: Medium
Date : 2021-06-22
CVE-ID : CVE-2021-34548 CVE-2021-34549 CVE-2021-34550
Package : tor
Type : denial of service
Remote : Yes
Link :   https://security.archlinux.org/AVG-2075

Summary
======
The package tor before version 0.4.5.9-1 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 0.4.5.9-1.

# pacman -Syu "tor>=0.4.5.9-1"

The problems have been fixed upstream in version 0.4.5.9.

Workaround
=========
None.

Description
==========
- CVE-2021-34548 (denial of service)

A security issue has been found in Tor before version 0.4.5.9. Relays
could spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams
because clients failed to validate which hop sent these cells. This
would allow a relay on a circuit to end a stream that wasn't actually
built with it.

- CVE-2021-34549 (denial of service)

A security issue has been found in Tor before version 0.4.5.9 that
could be exploited for a hashtable-based CPU denial-of-service attack
against relays. Previously a naive unkeyed hash function to look up
circuits in a circuitmux object was used. An attacker could exploit
this to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now a SipHash
construction is used instead.

- CVE-2021-34550 (denial of service)

A security issue has been found in Tor before version 0.4.5.9. An out-
of-bounds memory access in the v3 onion service descriptor parsing
could be exploited by crafting an onion service descriptor that would
crash any client that tried to visit it.

Impact
=====
A malicious relay could terminate client connections through crafted
cells, leading to denial of service. A malicious client could cause
denial of service on a relay through high resource usage using crafted
circuit IDs. Lastly, clients could be crashed through crafted onion
service descriptors.

References
=========
  https://blog.torproject.org/node/2041
  https://gitlab.torproject.org/tpo/core/tor/-/issues/40389
  https://gitlab.torproject.org/tpo/core/tor/-/commit/adb248b6d6e0779719e6b873ee12a1e22fa390f4
  https://gitlab.torproject.org/tpo/core/tor/-/issues/40391
  https://gitlab.torproject.org/tpo/core/tor/-/commit/4c06c619faceb5d158a725d97fda45cadb2cf9c9
  https://gitlab.torproject.org/tpo/core/tor/-/issues/40392
  https://gitlab.torproject.org/tpo/core/tor/-/commit/f57b5c48e0aa01acd84a194fe4657a0d1cee04cf
  https://security.archlinux.org/CVE-2021-34548
  https://security.archlinux.org/CVE-2021-34549
  https://security.archlinux.org/CVE-2021-34550