Bug#782044: unblock: tor/0.2.5.12-1

Mon, 06 Apr 2015 14:15:55 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package tor:

unblock tor/0.2.5.12-1

This version fixes several hidden service related denial of service bugs
that have been fixed in stable with DSA 3216-1:

- disgleirio discovered that a malicious client could trigger an
  assertion failure in a Tor instance providing a hidden service, thus
  rendering the service inaccessible.
  [CVE-2015-2928]

- DonnchaC discovered that Tor clients would crash with an assertion
  failure upon parsing specially crafted hidden service descriptors.
  [CVE-2015-2929]

- Introduction points would accept multiple INTRODUCE1 cells on one
  circuit, making it inexpensive for an attacker to overload a hidden
  service with introductions.  Introduction points no longer allow
  multiple such cells on the same circuit.

A complete debdiff of the source package to 0.2.5.11-1, the version
currently in jessie, is attached.

For your consideration,
weasel

diff -Nru tor-0.2.5.11/ChangeLog tor-0.2.5.12/ChangeLog
--- tor-0.2.5.11/ChangeLog	2015-03-17 14:39:09.000000000 +0100
+++ tor-0.2.5.12/ChangeLog	2015-04-06 15:57:54.000000000 +0200
@@ -1,3 +1,27 @@
+Changes in version 0.2.5.12 - 2015-04-06
+  Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
+  could be used by an attacker to crash hidden services, or crash clients
+  visiting hidden services. Hidden services should upgrade as soon as
+  possible; clients should upgrade whenever packages become available.
+
+  This release also backports a simple improvement to make hidden
+  services a bit less vulnerable to denial-of-service attacks.
+
+  o Major bugfixes (security, hidden service):
+    - Fix an issue that would allow a malicious client to trigger an
+      assertion failure and halt a hidden service. Fixes bug 15600;
+      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+    - Fix a bug that could cause a client to crash with an assertion
+      failure when parsing a malformed hidden service descriptor. Fixes
+      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+  o Minor features (DoS-resistance, hidden service):
+    - Introduction points no longer allow multiple INTRODUCE1 cells to
+      arrive on the same circuit. This should make it more expensive for
+      attackers to overwhelm hidden services with introductions.
+      Resolves ticket 15515.
+
+
 Changes in version 0.2.5.11 - 2015-03-17
   Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
 
diff -Nru tor-0.2.5.11/ReleaseNotes tor-0.2.5.12/ReleaseNotes
--- tor-0.2.5.11/ReleaseNotes	2015-03-17 14:39:31.000000000 +0100
+++ tor-0.2.5.12/ReleaseNotes	2015-04-06 15:57:44.000000000 +0200
@@ -2,6 +2,30 @@
 of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
+Changes in version 0.2.5.12 - 2015-04-06
+  Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
+  could be used by an attacker to crash hidden services, or crash clients
+  visiting hidden services. Hidden services should upgrade as soon as
+  possible; clients should upgrade whenever packages become available.
+
+  This release also backports a simple improvement to make hidden
+  services a bit less vulnerable to denial-of-service attacks.
+
+  o Major bugfixes (security, hidden service):
+    - Fix an issue that would allow a malicious client to trigger an
+      assertion failure and halt a hidden service. Fixes bug 15600;
+      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+    - Fix a bug that could cause a client to crash with an assertion
+      failure when parsing a malformed hidden service descriptor. Fixes
+      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+  o Minor features (DoS-resistance, hidden service):
+    - Introduction points no longer allow multiple INTRODUCE1 cells to
+      arrive on the same circuit. This should make it more expensive for
+      attackers to overwhelm hidden services with introductions.
+      Resolves ticket 15515.
+
+
 Changes in version 0.2.5.11 - 2015-03-17
   Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
 
diff -Nru tor-0.2.5.11/configure tor-0.2.5.12/configure
--- tor-0.2.5.11/configure	2015-03-12 17:56:50.000000000 +0100
+++ tor-0.2.5.12/configure	2015-04-06 16:04:40.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tor 0.2.5.11.
+# Generated by GNU Autoconf 2.69 for tor 0.2.5.12.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -577,8 +577,8 @@
 # Identity of this package.
 PACKAGE_NAME='tor'
 PACKAGE_TARNAME='tor'
-PACKAGE_VERSION='0.2.5.11'
-PACKAGE_STRING='tor 0.2.5.11'
+PACKAGE_VERSION='0.2.5.12'
+PACKAGE_STRING='tor 0.2.5.12'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1374,7 +1374,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures tor 0.2.5.11 to adapt to many kinds of systems.
+\`configure' configures tor 0.2.5.12 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1444,7 +1444,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of tor 0.2.5.11:";;
+     short | recursive ) echo "Configuration of tor 0.2.5.12:";;
    esac
   cat <<\_ACEOF
 
@@ -1593,7 +1593,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-tor configure 0.2.5.11
+tor configure 0.2.5.12
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2298,7 +2298,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by tor $as_me 0.2.5.11, which was
+It was created by tor $as_me 0.2.5.12, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3163,7 +3163,7 @@
 
 # Define the identity of the package.
  PACKAGE='tor'
- VERSION='0.2.5.11'
+ VERSION='0.2.5.12'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -13220,7 +13220,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tor $as_me 0.2.5.11, which was
+This file was extended by tor $as_me 0.2.5.12, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -13286,7 +13286,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-tor config.status 0.2.5.11
+tor config.status 0.2.5.12
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru tor-0.2.5.11/configure.ac tor-0.2.5.12/configure.ac
--- tor-0.2.5.11/configure.ac	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/configure.ac	2015-04-06 15:57:08.000000000 +0200
@@ -3,7 +3,7 @@
 dnl Copyright (c) 2007-2013, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
-AC_INIT([tor],[0.2.5.11])
+AC_INIT([tor],[0.2.5.12])
 AC_CONFIG_SRCDIR([src/or/main.c])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE
diff -Nru tor-0.2.5.11/contrib/win32build/tor-mingw.nsi.in tor-0.2.5.12/contrib/win32build/tor-mingw.nsi.in
--- tor-0.2.5.11/contrib/win32build/tor-mingw.nsi.in	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/contrib/win32build/tor-mingw.nsi.in	2015-04-06 15:57:08.000000000 +0200
@@ -8,7 +8,7 @@
 !include "LogicLib.nsh"
 !include "FileFunc.nsh"
 !insertmacro GetParameters
-!define VERSION "0.2.5.11"
+!define VERSION "0.2.5.12"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/";
 !define LICENSE "LICENSE"
diff -Nru tor-0.2.5.11/debian/changelog tor-0.2.5.12/debian/changelog
--- tor-0.2.5.11/debian/changelog	2015-04-06 23:10:00.000000000 +0200
+++ tor-0.2.5.12/debian/changelog	2015-04-06 23:10:00.000000000 +0200
@@ -1,3 +1,15 @@
+tor (0.2.5.12-1) unstable; urgency=medium
+
+  * New upstream version, fixing hidden service related Denial of
+    Service bugs:
+    - Fix two remotely triggerable assertion failures (upstream bugs
+      #15600 and #15601).
+    - Disallow multiple INTRODUCE1 cells on the same circuit at introduction
+      points, making overwhelming hidden services with introductions more
+      expensive (upstream bug #15515).
+
+ -- Peter Palfrader <wea...@debian.org>  Mon, 06 Apr 2015 17:20:40 +0200
+
 tor (0.2.5.11-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru tor-0.2.5.11/debian/micro-revision.i tor-0.2.5.12/debian/micro-revision.i
--- tor-0.2.5.11/debian/micro-revision.i	2015-04-06 23:10:00.000000000 +0200
+++ tor-0.2.5.12/debian/micro-revision.i	2015-04-06 23:10:00.000000000 +0200
@@ -1 +1 @@
-"4c631772c5fcaa0a"
+"3731dd5c3071dcba"
diff -Nru tor-0.2.5.11/micro-revision.i tor-0.2.5.12/micro-revision.i
--- tor-0.2.5.11/micro-revision.i	2015-03-17 14:43:51.000000000 +0100
+++ tor-0.2.5.12/micro-revision.i	2015-04-06 16:04:55.000000000 +0200
@@ -1 +1 @@
-"cfb61f909a53c4eb"
+"99d0579ff5e0349f"
diff -Nru tor-0.2.5.11/src/or/or.h tor-0.2.5.12/src/or/or.h
--- tor-0.2.5.11/src/or/or.h	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/or.h	2015-04-06 15:31:07.000000000 +0200
@@ -3186,6 +3186,9 @@
    * to the specification? */
   unsigned int remaining_relay_early_cells : 4;
 
+  /* We have already received an INTRODUCE1 cell on this circuit. */
+  unsigned int already_received_introduce1 : 1;
+
   /** True iff this circuit was made with a CREATE_FAST cell. */
   unsigned int is_first_hop : 1;
 
diff -Nru tor-0.2.5.11/src/or/or_sha1.i tor-0.2.5.12/src/or/or_sha1.i
--- tor-0.2.5.11/src/or/or_sha1.i	2015-03-12 18:10:59.000000000 +0100
+++ tor-0.2.5.12/src/or/or_sha1.i	2015-04-06 15:50:18.000000000 +0200
@@ -40,14 +40,14 @@
 "d1aaa56a945408cc2cb56b7b85c46797e14ddaa4  src/or/reasons.c\n"
 "08b50d1f2bba4b9488e5a6fbd00e56cefc7eedeb  src/or/relay.c\n"
 "ca4771974f9cc944af02b158debd0a462c7878e2  src/or/rendclient.c\n"
-"d55461d67378f11b97d593a77d22bbfcf63ea7dc  src/or/rendcommon.c\n"
-"71e6cf8f3cccaa21375fbf53e16f4d4b26a4fb7e  src/or/rendmid.c\n"
-"28010c1000c9b388785d1b262b104a46e4bdd331  src/or/rendservice.c\n"
+"e57f8cbbf60ced0e7b833ced2909d7c0ac78b2c9  src/or/rendcommon.c\n"
+"bb6e5d542cb280d313a02a5582a8c89f734d4ef2  src/or/rendmid.c\n"
+"35b72cf4f5baada5a682c9cad5dc23a30f69898f  src/or/rendservice.c\n"
 "97cc7596f92bb7087dd0a804808f699cd4ceb1ad  src/or/rephist.c\n"
 "d58afa23a92c38557b8b57084fe70c919869ca89  src/or/replaycache.c\n"
 "fbf6d291c383f41ba27341ccf7992c9854680ccb  src/or/router.c\n"
 "609c911bf2adfd6882653d22e16a730a09fb57e1  src/or/routerlist.c\n"
-"e97c4a144832c6c8fd49c5ee9edaf917c0d671c7  src/or/routerparse.c\n"
+"38fae5ab42c96e4e27811f996e372e544700ebf0  src/or/routerparse.c\n"
 "b054456aec98b6a62530ac89c26d904f130e291a  src/or/routerset.c\n"
 "37f35d692f088efd623d43de7b74fc1bc96ee9ea  src/or/statefile.c\n"
 "1fc9dbc01196714bea89a335040882ffb6874544  src/or/status.c\n"
@@ -92,7 +92,7 @@
 "33245d34d6bfbc6c8c700264318c5a594716b5d8  src/or/onion_fast.h\n"
 "e0ccc9ed34e5f206f5ea57847c4e41a19f7ad2b3  src/or/onion_ntor.h\n"
 "485bf9e2effe89a3f41b28fbd9d80a57ce339cbf  src/or/onion_tap.h\n"
-"224b41517a7e5115777fbe10e32fbd79e72df2d0  src/or/or.h\n"
+"169db0a79fa47f9f5a314a9dfd6aeb91fc06424a  src/or/or.h\n"
 "cb3bef4fc90263eb0e0e15fb3f4bf7c06b49712b  src/or/transports.h\n"
 "1f345df3b6f89db0f35eb85225e496bfbabb4c25  src/or/policies.h\n"
 "c492ec75acc2dd3365d79b1c72f350aabdc03196  src/or/reasons.h\n"
diff -Nru tor-0.2.5.11/src/or/rendcommon.c tor-0.2.5.12/src/or/rendcommon.c
--- tor-0.2.5.11/src/or/rendcommon.c	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendcommon.c	2015-04-06 15:31:09.000000000 +0200
@@ -1087,7 +1087,7 @@
     goto err;
   }
   /* Decode/decrypt introduction points. */
-  if (intro_content) {
+  if (intro_content && intro_size > 0) {
     int n_intro_points;
     if (rend_query->auth_type != REND_NO_AUTH &&
         !tor_mem_is_zero(rend_query->descriptor_cookie,
diff -Nru tor-0.2.5.11/src/or/rendmid.c tor-0.2.5.12/src/or/rendmid.c
--- tor-0.2.5.11/src/or/rendmid.c	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendmid.c	2015-04-06 15:31:07.000000000 +0200
@@ -149,6 +149,20 @@
     goto err;
   }
 
+  /* We have already done an introduction on this circuit but we just
+     received a request for another one. We block it since this might
+     be an attempt to DoS a hidden service (#15515). */
+  if (circ->already_received_introduce1) {
+    log_fn(LOG_PROTOCOL_WARN, LD_REND,
+           "Blocking multiple introductions on the same circuit. "
+           "Someone might be trying to attack a hidden service through "
+           "this relay.");
+    circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
+    return -1;
+  }
+
+  circ->already_received_introduce1 = 1;
+
   /* We could change this to MAX_HEX_NICKNAME_LEN now that 0.0.9.x is
    * obsolete; however, there isn't much reason to do so, and we're going
    * to revise this protocol anyway.
diff -Nru tor-0.2.5.11/src/or/rendservice.c tor-0.2.5.12/src/or/rendservice.c
--- tor-0.2.5.11/src/or/rendservice.c	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendservice.c	2015-04-06 15:31:09.000000000 +0200
@@ -1819,6 +1819,16 @@
 
     goto err;
   }
+  if (128 != crypto_pk_keysize(extend_info->onion_key)) {
+    if (err_msg_out) {
+      tor_asprintf(err_msg_out,
+                   "invalid onion key size in version %d INTRODUCE%d cell",
+                   intro->version,
+                   (intro->type));
+    }
+
+    goto err;
+  }
 
   ver_specific_len = 7+DIGEST_LEN+2+klen;
 
diff -Nru tor-0.2.5.11/src/or/routerparse.c tor-0.2.5.12/src/or/routerparse.c
--- tor-0.2.5.11/src/or/routerparse.c	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/routerparse.c	2015-04-06 15:31:09.000000000 +0200
@@ -4684,7 +4684,7 @@
                                size_t intro_points_encoded_size)
 {
   const char *current_ipo, *end_of_intro_points;
-  smartlist_t *tokens;
+  smartlist_t *tokens = NULL;
   directory_token_t *tok;
   rend_intro_point_t *intro;
   extend_info_t *info;
@@ -4693,8 +4693,10 @@
   tor_assert(parsed);
   /** Function may only be invoked once. */
   tor_assert(!parsed->intro_nodes);
-  tor_assert(intro_points_encoded);
-  tor_assert(intro_points_encoded_size > 0);
+  if (!intro_points_encoded || intro_points_encoded_size == 0) {
+    log_warn(LD_REND, "Empty or zero size introduction point list");
+    goto err;
+  }
   /* Consider one intro point after the other. */
   current_ipo = intro_points_encoded;
   end_of_intro_points = intro_points_encoded + intro_points_encoded_size;
@@ -4798,8 +4800,10 @@
 
  done:
   /* Free tokens and clear token list. */
-  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
-  smartlist_free(tokens);
+  if (tokens) {
+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
+    smartlist_free(tokens);
+  }
   if (area)
     memarea_drop_all(area);
 
diff -Nru tor-0.2.5.11/src/win32/orconfig.h tor-0.2.5.12/src/win32/orconfig.h
--- tor-0.2.5.11/src/win32/orconfig.h	2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/win32/orconfig.h	2015-04-06 15:57:08.000000000 +0200
@@ -241,7 +241,7 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.2.5.11"
+#define VERSION "0.2.5.12"

Reply via email to