Arch Linux Security Advisory ASA-202106-50
==========================================

Severity: Medium
Date    : 2021-06-22
CVE-ID  : CVE-2021-34548 CVE-2021-34549 CVE-2021-34550
Package : tor
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2075

Summary
=======

The package tor before version 0.4.5.9-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 0.4.5.9-1.

# pacman -Syu "tor>=0.4.5.9-1"

The problems have been fixed upstream in version 0.4.5.9.

Workaround
==========

None.

Description
===========

- CVE-2021-34548 (denial of service)

A security issue has been found in Tor before version 0.4.5.9. Relays
could spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams
because clients failed to validate which hop sent these cells. This
would allow a relay on a circuit to end a stream that wasn't actually
built with it.

- CVE-2021-34549 (denial of service)

A security issue has been found in Tor before version 0.4.5.9 that
could be exploited for a hashtable-based CPU denial-of-service attack
against relays. Previously a naive unkeyed hash function to look up
circuits in a circuitmux object was used. An attacker could exploit
this to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now a SipHash
construction is used instead.

- CVE-2021-34550 (denial of service)

A security issue has been found in Tor before version 0.4.5.9. An out-
of-bounds memory access in the v3 onion service descriptor parsing
could be exploited by crafting an onion service descriptor that would
crash any client that tried to visit it.

Impact
======

A malicious relay could terminate client connections through crafted
cells, leading to denial of service. A malicious client could cause
denial of service on a relay through high resource usage using crafted
circuit IDs. Lastly, clients could be crashed through crafted onion
service descriptors.

References
==========

https://blog.torproject.org/node/2041
https://gitlab.torproject.org/tpo/core/tor/-/issues/40389
https://gitlab.torproject.org/tpo/core/tor/-/commit/adb248b6d6e0779719e6b873ee12a1e22fa390f4
https://gitlab.torproject.org/tpo/core/tor/-/issues/40391
https://gitlab.torproject.org/tpo/core/tor/-/commit/4c06c619faceb5d158a725d97fda45cadb2cf9c9
https://gitlab.torproject.org/tpo/core/tor/-/issues/40392
https://gitlab.torproject.org/tpo/core/tor/-/commit/f57b5c48e0aa01acd84a194fe4657a0d1cee04cf
https://security.archlinux.org/CVE-2021-34548
https://security.archlinux.org/CVE-2021-34549
https://security.archlinux.org/CVE-2021-34550