Bug 26356 - tor new security issues CVE-2020-10592 and CVE-2020-10593
Summary: tor new security issues CVE-2020-10592 and CVE-2020-10593
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-18 21:27 CET by David Walser
Modified: 2020-04-15 12:13 CEST (History)
5 users (show)

See Also:
Source RPM: tor-0.3.5.8-1.mga7
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-18 21:27:05 CET 
Upstream has released new versions today (March 18):
https://blog.torproject.org/node/1855

The issues are fixed upstream in 0.3.5.10.

Mageia 7 is also affected.
David Walser 2020-03-18 21:28:26 CET

Status comment: (none) => Fixed upstream in 0.3.5.10
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-03-24 23:38:38 CET 
Debian has issued an advisory for this on March 20:
https://www.debian.org/security/2020/dsa-4644
Comment 2 Jani Välimaa 2020-04-01 17:47:34 CEST 
Pushed tor 0.3.5.10 to core/release for cauldron and to core/updates_testing for mga7.

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Jani Välimaa 2020-04-01 19:14:27 CEST

Version: Cauldron => 7
Source RPM: tor-0.3.5.9-2.mga8.src.rpm => tor-0.3.5.8-1.mga7
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-04-01 23:22:55 CEST 
Advisory:
========================

Updated tor package fixes security vulnerabilities:

Tor before 0.3.5.10 allows remote attackers to cause a Denial of Service (CPU
consumption) (CVE-2020-10592).

Tor before 0.3.5.10 allows remote attackers to cause a Denial of Service
(memory leak). This occurs in circpad_setup_machine_on_circ because a
circuit-padding machine can be negotiated twice on the same circuit
(CVE-2020-10593).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10593
https://blog.torproject.org/node/1855

Status comment: Fixed upstream in 0.3.5.10 => (none)

Comment 4 Herman Viaene 2020-04-10 14:53:59 CEST 
Could you pleasee mention the exact package name, that woud save me making a few wrong guesses.
MGA7-64 Plasma on Lenovo B50
No installation issues.Installed tor-0.3.5.10-1.mga7
Ref bug 21740 for testing.
# systemctl start tor

# systemctl -l status tor
● tor.service - Anonymizing overlay network for TCP
   Loaded: loaded (/usr/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-04-10 14:34:25 CEST; 21s ago
  Process: 8378 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc>
 Main PID: 8379 (tor)
   Memory: 45.2M
   CGroup: /system.slice/tor.service
           └─8379 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc

After applying the chages in the Firefox settings, I could navigate to the testing site  https://check.torproject.org/ and got the green onion and the congratulations.
Seems OK. Loggging this after reverting to the normal settings.
Anything more needed???

CC: (none) => herman.viaene

Comment 5 David Walser 2020-04-10 16:32:40 CEST 
Good enough.
Herman Viaene 2020-04-10 16:37:35 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-04-10 16:59:38 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-15 10:40:25 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-04-15 12:13:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0165.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.