Bug 1005292 (CVE-2016-8860) - VUL-0: CVE-2016-8860: tor: out-of-bounds read on buffer chunks (TROVE-2016-10-001)
Summary: VUL-0: CVE-2016-8860: tor: out-of-bounds read on buffer chunks (TROVE-2016-10...
Status: RESOLVED FIXED
: TROVE-2016-10-001 (view as bug list)
Alias: CVE-2016-8860
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-18 10:52 UTC by Mikhail Kasimov
Modified: 2016-12-28 15:10 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-10-18 10:52:30 UTC 
Reference: [1] https://trac.torproject.org/projects/tor/ticket/20384

[1]:
=================================================================
Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor
  that would allow a remote attacker to crash a Tor client, hidden
  service, relay, or authority. All Tor users should upgrade to this
  version, or to 0.2.8.9. Patches will be released for older versions
  of Tor.

Major features (security fixes):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).
=================================================================

[2] http://download.opensuse.org/repositories/network/openSUSE_Leap_42.1/x86_64/

tor-0.2.8.8-103.1.x86_64.rpm
Comment 1 Mikhail Kasimov 2016-10-18 17:28:06 UTC 
[2] http://seclists.org/oss-sec/2016/q4/178
=============================================
Hi,
please assign a CVE ID for
https://blog.torproject.org/blog/tor-0289-released-important-fixes

Fix: https://github.com/torproject/tor/commit/3cea86eb2fbb65949673eb4ba8ebb695c87a57ce
Bug: https://trac.torproject.org/projects/tor/ticket/20384

Cheers, Moritz
=============================================
Comment 2 Andreas Stieger 2016-10-19 08:44:26 UTC 
*** Bug 1005213 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Stieger 2016-10-19 08:48:31 UTC 
Mikhail, please rest assured that we do read oss-sec and do not miss CVEs assigned there. Also in this case the maintainer (me) was subscribed to the upstream -announce mailing list, which resulted in bug 1005213. If you could so a search first that would avoid duplicates and extra work.
Comment 4 Mikhail Kasimov 2016-10-19 09:02:43 UTC 
(In reply to Andreas Stieger from comment #3)
> Mikhail, please rest assured that we do read oss-sec and do not miss CVEs
> assigned there. Also in this case the maintainer (me) was subscribed to the
> upstream -announce mailing list, which resulted in bug 1005213. If you could
> so a search first that would avoid duplicates and extra work.

I've a habit, which sounds like "if you see bug-report, put it in bugzilla of distro you use. Only in this case you can be sure, that it won't be missed and you'll get the fix".

But ok, no problem, if oss-sec mesages are under monitoring by (open-)SUSE guys.
Comment 5 Mikhail Kasimov 2016-10-19 09:03:19 UTC 
(In reply to Mikhail Kasimov from comment #4)
> (In reply to Andreas Stieger from comment #3)
> > Mikhail, please rest assured that we do read oss-sec and do not miss CVEs
> > assigned there. Also in this case the maintainer (me) was subscribed to the
> > upstream -announce mailing list, which resulted in bug 1005213. If you could
> > so a search first that would avoid duplicates and extra work.
> 
> I've a habit, which sounds like "if you see bug-report, put it in bugzilla
> of distro you use. Only in this case you can be sure, that it won't be
> missed and you'll get the fix".
> 
> But ok, no problem, if oss-sec mesages are under monitoring by (open-)SUSE
> guys.

messages*
Comment 6 Andreas Stieger 2016-10-19 09:35:04 UTC 
We appreciate your work. If you feel we have missed something please add or extend bugs.

Fixes submitted.
Comment 7 Bernhard Wiedemann 2016-10-19 10:00:57 UTC 
This is an autogenerated message for OBS integration:
This bug (1005292) was mentioned in
https://build.opensuse.org/request/show/436112 13.2+42.1 / tor
Comment 8 Bernhard Wiedemann 2016-10-19 12:01:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1005292) was mentioned in
https://build.opensuse.org/request/show/436114 Factory / tor
Comment 9 Andreas Stieger 2016-10-24 09:07:34 UTC 
release
Comment 10 Swamp Workflow Management 2016-10-24 12:09:30 UTC 
openSUSE-SU-2016:2603-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1005292
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    tor-0.2.7.6-13.1
openSUSE 13.2 (src):    tor-0.2.7.6-26.1
Comment 11 Bernhard Wiedemann 2016-12-19 23:00:39 UTC 
This is an autogenerated message for OBS integration:
This bug (1005292) was mentioned in
https://build.opensuse.org/request/show/447097 42.2 / tor
Comment 12 Swamp Workflow Management 2016-12-28 15:10:27 UTC 
openSUSE-SU-2016:3282-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1005292,1016343
CVE References: CVE-2016-1254
Sources used:
openSUSE Leap 42.2 (src):    tor-0.2.8.12-3.1