Arch Linux Security Advisory ASA-202106-50 ========================================== Severity: Medium Date : 2021-06-22 CVE-ID : CVE-2021-34548 CVE-2021-34549 CVE-2021-34550 Package : tor Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2075 Summary ======= The package tor before version 0.4.5.9-1 is vulnerable to denial of service. Resolution ========== Upgrade to 0.4.5.9-1. # pacman -Syu "tor>=0.4.5.9-1" The problems have been fixed upstream in version 0.4.5.9. Workaround ========== None. Description =========== - CVE-2021-34548 (denial of service) A security issue has been found in Tor before version 0.4.5.9. Relays could spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams because clients failed to validate which hop sent these cells. This would allow a relay on a circuit to end a stream that wasn't actually built with it. - CVE-2021-34549 (denial of service) A security issue has been found in Tor before version 0.4.5.9 that could be exploited for a hashtable-based CPU denial-of-service attack against relays. Previously a naive unkeyed hash function to look up circuits in a circuitmux object was used. An attacker could exploit this to construct circuits with chosen circuit IDs, to create collisions and make the hash table inefficient. Now a SipHash construction is used instead. - CVE-2021-34550 (denial of service) A security issue has been found in Tor before version 0.4.5.9. An out- of-bounds memory access in the v3 onion service descriptor parsing could be exploited by crafting an onion service descriptor that would crash any client that tried to visit it. Impact ====== A malicious relay could terminate client connections through crafted cells, leading to denial of service. A malicious client could cause denial of service on a relay through high resource usage using crafted circuit IDs. Lastly, clients could be crashed through crafted onion service descriptors. References ========== https://blog.torproject.org/node/2041 https://gitlab.torproject.org/tpo/core/tor/-/issues/40389 https://gitlab.torproject.org/tpo/core/tor/-/commit/adb248b6d6e0779719e6b873ee12a1e22fa390f4 https://gitlab.torproject.org/tpo/core/tor/-/issues/40391 https://gitlab.torproject.org/tpo/core/tor/-/commit/4c06c619faceb5d158a725d97fda45cadb2cf9c9 https://gitlab.torproject.org/tpo/core/tor/-/issues/40392 https://gitlab.torproject.org/tpo/core/tor/-/commit/f57b5c48e0aa01acd84a194fe4657a0d1cee04cf https://security.archlinux.org/CVE-2021-34548 https://security.archlinux.org/CVE-2021-34549 https://security.archlinux.org/CVE-2021-34550