--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package tor:
unblock tor/0.2.5.12-1
This version fixes several hidden service related denial of service bugs
that have been fixed in stable with DSA 3216-1:
- disgleirio discovered that a malicious client could trigger an
assertion failure in a Tor instance providing a hidden service, thus
rendering the service inaccessible.
[CVE-2015-2928]
- DonnchaC discovered that Tor clients would crash with an assertion
failure upon parsing specially crafted hidden service descriptors.
[CVE-2015-2929]
- Introduction points would accept multiple INTRODUCE1 cells on one
circuit, making it inexpensive for an attacker to overload a hidden
service with introductions. Introduction points no longer allow
multiple such cells on the same circuit.
A complete debdiff of the source package to 0.2.5.11-1, the version
currently in jessie, is attached.
For your consideration,
weasel
diff -Nru tor-0.2.5.11/ChangeLog tor-0.2.5.12/ChangeLog
--- tor-0.2.5.11/ChangeLog 2015-03-17 14:39:09.000000000 +0100
+++ tor-0.2.5.12/ChangeLog 2015-04-06 15:57:54.000000000 +0200
@@ -1,3 +1,27 @@
+Changes in version 0.2.5.12 - 2015-04-06
+ Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
+ could be used by an attacker to crash hidden services, or crash clients
+ visiting hidden services. Hidden services should upgrade as soon as
+ possible; clients should upgrade whenever packages become available.
+
+ This release also backports a simple improvement to make hidden
+ services a bit less vulnerable to denial-of-service attacks.
+
+ o Major bugfixes (security, hidden service):
+ - Fix an issue that would allow a malicious client to trigger an
+ assertion failure and halt a hidden service. Fixes bug 15600;
+ bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+ - Fix a bug that could cause a client to crash with an assertion
+ failure when parsing a malformed hidden service descriptor. Fixes
+ bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+ o Minor features (DoS-resistance, hidden service):
+ - Introduction points no longer allow multiple INTRODUCE1 cells to
+ arrive on the same circuit. This should make it more expensive for
+ attackers to overwhelm hidden services with introductions.
+ Resolves ticket 15515.
+
+
Changes in version 0.2.5.11 - 2015-03-17
Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
diff -Nru tor-0.2.5.11/ReleaseNotes tor-0.2.5.12/ReleaseNotes
--- tor-0.2.5.11/ReleaseNotes 2015-03-17 14:39:31.000000000 +0100
+++ tor-0.2.5.12/ReleaseNotes 2015-04-06 15:57:44.000000000 +0200
@@ -2,6 +2,30 @@
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.2.5.12 - 2015-04-06
+ Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
+ could be used by an attacker to crash hidden services, or crash clients
+ visiting hidden services. Hidden services should upgrade as soon as
+ possible; clients should upgrade whenever packages become available.
+
+ This release also backports a simple improvement to make hidden
+ services a bit less vulnerable to denial-of-service attacks.
+
+ o Major bugfixes (security, hidden service):
+ - Fix an issue that would allow a malicious client to trigger an
+ assertion failure and halt a hidden service. Fixes bug 15600;
+ bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+ - Fix a bug that could cause a client to crash with an assertion
+ failure when parsing a malformed hidden service descriptor. Fixes
+ bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+ o Minor features (DoS-resistance, hidden service):
+ - Introduction points no longer allow multiple INTRODUCE1 cells to
+ arrive on the same circuit. This should make it more expensive for
+ attackers to overwhelm hidden services with introductions.
+ Resolves ticket 15515.
+
+
Changes in version 0.2.5.11 - 2015-03-17
Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
diff -Nru tor-0.2.5.11/configure tor-0.2.5.12/configure
--- tor-0.2.5.11/configure 2015-03-12 17:56:50.000000000 +0100
+++ tor-0.2.5.12/configure 2015-04-06 16:04:40.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tor 0.2.5.11.
+# Generated by GNU Autoconf 2.69 for tor 0.2.5.12.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -577,8 +577,8 @@
# Identity of this package.
PACKAGE_NAME='tor'
PACKAGE_TARNAME='tor'
-PACKAGE_VERSION='0.2.5.11'
-PACKAGE_STRING='tor 0.2.5.11'
+PACKAGE_VERSION='0.2.5.12'
+PACKAGE_STRING='tor 0.2.5.12'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1374,7 +1374,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures tor 0.2.5.11 to adapt to many kinds of systems.
+\`configure' configures tor 0.2.5.12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1444,7 +1444,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of tor 0.2.5.11:";;
+ short | recursive ) echo "Configuration of tor 0.2.5.12:";;
esac
cat <<\_ACEOF
@@ -1593,7 +1593,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-tor configure 0.2.5.11
+tor configure 0.2.5.12
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2298,7 +2298,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by tor $as_me 0.2.5.11, which was
+It was created by tor $as_me 0.2.5.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3163,7 +3163,7 @@
# Define the identity of the package.
PACKAGE='tor'
- VERSION='0.2.5.11'
+ VERSION='0.2.5.12'
cat >>confdefs.h <<_ACEOF
@@ -13220,7 +13220,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by tor $as_me 0.2.5.11, which was
+This file was extended by tor $as_me 0.2.5.12, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -13286,7 +13286,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-tor config.status 0.2.5.11
+tor config.status 0.2.5.12
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru tor-0.2.5.11/configure.ac tor-0.2.5.12/configure.ac
--- tor-0.2.5.11/configure.ac 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/configure.ac 2015-04-06 15:57:08.000000000 +0200
@@ -3,7 +3,7 @@
dnl Copyright (c) 2007-2013, The Tor Project, Inc.
dnl See LICENSE for licensing information
-AC_INIT([tor],[0.2.5.11])
+AC_INIT([tor],[0.2.5.12])
AC_CONFIG_SRCDIR([src/or/main.c])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE
diff -Nru tor-0.2.5.11/contrib/win32build/tor-mingw.nsi.in tor-0.2.5.12/contrib/win32build/tor-mingw.nsi.in
--- tor-0.2.5.11/contrib/win32build/tor-mingw.nsi.in 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/contrib/win32build/tor-mingw.nsi.in 2015-04-06 15:57:08.000000000 +0200
@@ -8,7 +8,7 @@
!include "LogicLib.nsh"
!include "FileFunc.nsh"
!insertmacro GetParameters
-!define VERSION "0.2.5.11"
+!define VERSION "0.2.5.12"
!define INSTALLER "tor-${VERSION}-win32.exe"
!define WEBSITE "https://www.torproject.org/";
!define LICENSE "LICENSE"
diff -Nru tor-0.2.5.11/debian/changelog tor-0.2.5.12/debian/changelog
--- tor-0.2.5.11/debian/changelog 2015-04-06 23:10:00.000000000 +0200
+++ tor-0.2.5.12/debian/changelog 2015-04-06 23:10:00.000000000 +0200
@@ -1,3 +1,15 @@
+tor (0.2.5.12-1) unstable; urgency=medium
+
+ * New upstream version, fixing hidden service related Denial of
+ Service bugs:
+ - Fix two remotely triggerable assertion failures (upstream bugs
+ #15600 and #15601).
+ - Disallow multiple INTRODUCE1 cells on the same circuit at introduction
+ points, making overwhelming hidden services with introductions more
+ expensive (upstream bug #15515).
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 06 Apr 2015 17:20:40 +0200
+
tor (0.2.5.11-1) unstable; urgency=medium
* New upstream version.
diff -Nru tor-0.2.5.11/debian/micro-revision.i tor-0.2.5.12/debian/micro-revision.i
--- tor-0.2.5.11/debian/micro-revision.i 2015-04-06 23:10:00.000000000 +0200
+++ tor-0.2.5.12/debian/micro-revision.i 2015-04-06 23:10:00.000000000 +0200
@@ -1 +1 @@
-"4c631772c5fcaa0a"
+"3731dd5c3071dcba"
diff -Nru tor-0.2.5.11/micro-revision.i tor-0.2.5.12/micro-revision.i
--- tor-0.2.5.11/micro-revision.i 2015-03-17 14:43:51.000000000 +0100
+++ tor-0.2.5.12/micro-revision.i 2015-04-06 16:04:55.000000000 +0200
@@ -1 +1 @@
-"cfb61f909a53c4eb"
+"99d0579ff5e0349f"
diff -Nru tor-0.2.5.11/src/or/or.h tor-0.2.5.12/src/or/or.h
--- tor-0.2.5.11/src/or/or.h 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/or.h 2015-04-06 15:31:07.000000000 +0200
@@ -3186,6 +3186,9 @@
* to the specification? */
unsigned int remaining_relay_early_cells : 4;
+ /* We have already received an INTRODUCE1 cell on this circuit. */
+ unsigned int already_received_introduce1 : 1;
+
/** True iff this circuit was made with a CREATE_FAST cell. */
unsigned int is_first_hop : 1;
diff -Nru tor-0.2.5.11/src/or/or_sha1.i tor-0.2.5.12/src/or/or_sha1.i
--- tor-0.2.5.11/src/or/or_sha1.i 2015-03-12 18:10:59.000000000 +0100
+++ tor-0.2.5.12/src/or/or_sha1.i 2015-04-06 15:50:18.000000000 +0200
@@ -40,14 +40,14 @@
"d1aaa56a945408cc2cb56b7b85c46797e14ddaa4 src/or/reasons.c\n"
"08b50d1f2bba4b9488e5a6fbd00e56cefc7eedeb src/or/relay.c\n"
"ca4771974f9cc944af02b158debd0a462c7878e2 src/or/rendclient.c\n"
-"d55461d67378f11b97d593a77d22bbfcf63ea7dc src/or/rendcommon.c\n"
-"71e6cf8f3cccaa21375fbf53e16f4d4b26a4fb7e src/or/rendmid.c\n"
-"28010c1000c9b388785d1b262b104a46e4bdd331 src/or/rendservice.c\n"
+"e57f8cbbf60ced0e7b833ced2909d7c0ac78b2c9 src/or/rendcommon.c\n"
+"bb6e5d542cb280d313a02a5582a8c89f734d4ef2 src/or/rendmid.c\n"
+"35b72cf4f5baada5a682c9cad5dc23a30f69898f src/or/rendservice.c\n"
"97cc7596f92bb7087dd0a804808f699cd4ceb1ad src/or/rephist.c\n"
"d58afa23a92c38557b8b57084fe70c919869ca89 src/or/replaycache.c\n"
"fbf6d291c383f41ba27341ccf7992c9854680ccb src/or/router.c\n"
"609c911bf2adfd6882653d22e16a730a09fb57e1 src/or/routerlist.c\n"
-"e97c4a144832c6c8fd49c5ee9edaf917c0d671c7 src/or/routerparse.c\n"
+"38fae5ab42c96e4e27811f996e372e544700ebf0 src/or/routerparse.c\n"
"b054456aec98b6a62530ac89c26d904f130e291a src/or/routerset.c\n"
"37f35d692f088efd623d43de7b74fc1bc96ee9ea src/or/statefile.c\n"
"1fc9dbc01196714bea89a335040882ffb6874544 src/or/status.c\n"
@@ -92,7 +92,7 @@
"33245d34d6bfbc6c8c700264318c5a594716b5d8 src/or/onion_fast.h\n"
"e0ccc9ed34e5f206f5ea57847c4e41a19f7ad2b3 src/or/onion_ntor.h\n"
"485bf9e2effe89a3f41b28fbd9d80a57ce339cbf src/or/onion_tap.h\n"
-"224b41517a7e5115777fbe10e32fbd79e72df2d0 src/or/or.h\n"
+"169db0a79fa47f9f5a314a9dfd6aeb91fc06424a src/or/or.h\n"
"cb3bef4fc90263eb0e0e15fb3f4bf7c06b49712b src/or/transports.h\n"
"1f345df3b6f89db0f35eb85225e496bfbabb4c25 src/or/policies.h\n"
"c492ec75acc2dd3365d79b1c72f350aabdc03196 src/or/reasons.h\n"
diff -Nru tor-0.2.5.11/src/or/rendcommon.c tor-0.2.5.12/src/or/rendcommon.c
--- tor-0.2.5.11/src/or/rendcommon.c 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendcommon.c 2015-04-06 15:31:09.000000000 +0200
@@ -1087,7 +1087,7 @@
goto err;
}
/* Decode/decrypt introduction points. */
- if (intro_content) {
+ if (intro_content && intro_size > 0) {
int n_intro_points;
if (rend_query->auth_type != REND_NO_AUTH &&
!tor_mem_is_zero(rend_query->descriptor_cookie,
diff -Nru tor-0.2.5.11/src/or/rendmid.c tor-0.2.5.12/src/or/rendmid.c
--- tor-0.2.5.11/src/or/rendmid.c 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendmid.c 2015-04-06 15:31:07.000000000 +0200
@@ -149,6 +149,20 @@
goto err;
}
+ /* We have already done an introduction on this circuit but we just
+ received a request for another one. We block it since this might
+ be an attempt to DoS a hidden service (#15515). */
+ if (circ->already_received_introduce1) {
+ log_fn(LOG_PROTOCOL_WARN, LD_REND,
+ "Blocking multiple introductions on the same circuit. "
+ "Someone might be trying to attack a hidden service through "
+ "this relay.");
+ circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
+ return -1;
+ }
+
+ circ->already_received_introduce1 = 1;
+
/* We could change this to MAX_HEX_NICKNAME_LEN now that 0.0.9.x is
* obsolete; however, there isn't much reason to do so, and we're going
* to revise this protocol anyway.
diff -Nru tor-0.2.5.11/src/or/rendservice.c tor-0.2.5.12/src/or/rendservice.c
--- tor-0.2.5.11/src/or/rendservice.c 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/rendservice.c 2015-04-06 15:31:09.000000000 +0200
@@ -1819,6 +1819,16 @@
goto err;
}
+ if (128 != crypto_pk_keysize(extend_info->onion_key)) {
+ if (err_msg_out) {
+ tor_asprintf(err_msg_out,
+ "invalid onion key size in version %d INTRODUCE%d cell",
+ intro->version,
+ (intro->type));
+ }
+
+ goto err;
+ }
ver_specific_len = 7+DIGEST_LEN+2+klen;
diff -Nru tor-0.2.5.11/src/or/routerparse.c tor-0.2.5.12/src/or/routerparse.c
--- tor-0.2.5.11/src/or/routerparse.c 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/or/routerparse.c 2015-04-06 15:31:09.000000000 +0200
@@ -4684,7 +4684,7 @@
size_t intro_points_encoded_size)
{
const char *current_ipo, *end_of_intro_points;
- smartlist_t *tokens;
+ smartlist_t *tokens = NULL;
directory_token_t *tok;
rend_intro_point_t *intro;
extend_info_t *info;
@@ -4693,8 +4693,10 @@
tor_assert(parsed);
/** Function may only be invoked once. */
tor_assert(!parsed->intro_nodes);
- tor_assert(intro_points_encoded);
- tor_assert(intro_points_encoded_size > 0);
+ if (!intro_points_encoded || intro_points_encoded_size == 0) {
+ log_warn(LD_REND, "Empty or zero size introduction point list");
+ goto err;
+ }
/* Consider one intro point after the other. */
current_ipo = intro_points_encoded;
end_of_intro_points = intro_points_encoded + intro_points_encoded_size;
@@ -4798,8 +4800,10 @@
done:
/* Free tokens and clear token list. */
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
+ if (tokens) {
+ SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
+ smartlist_free(tokens);
+ }
if (area)
memarea_drop_all(area);
diff -Nru tor-0.2.5.11/src/win32/orconfig.h tor-0.2.5.12/src/win32/orconfig.h
--- tor-0.2.5.11/src/win32/orconfig.h 2015-03-12 17:49:50.000000000 +0100
+++ tor-0.2.5.12/src/win32/orconfig.h 2015-04-06 15:57:08.000000000 +0200
@@ -241,7 +241,7 @@
#define USING_TWOS_COMPLEMENT
/* Version number of package */
-#define VERSION "0.2.5.11"
+#define VERSION "0.2.5.12"
--- End Message ---