Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #24246
Closed (moved) (moved)
Open
Issue created Nov 11, 2017 by Nick Mathewson@nickm🤹

Fix TROVE-2017-011: An attacker can make tor ask for a password

TROVE-2017-011: An attacker can make Tor ask for a password

SEVERITY: High

ALSO TRACKED AS: OSS-Fuzz testcase 6360145429790720, CVE-2017-8821

CREDIT: This was found by OSS-Fuzz.

SUMMARY:

  All over our code, we accept parse RSA public keys in the "PEM"
  format, such as:

  -----BEGIN RSA PUBLIC KEY-----
  SXQncyBjb29sIHRoYXQgeW91IHdlcmUgY29uY2VybmVkIGVub3VnaCB0byBjaGVj
  aywgYnV0IHRoZXJlIGlzIGluIGZhY3Qgbm8gc2VjcmV0IGluZm9ybWF0aW9uIGhl
  cmUuICBUaGlzIHNwYWNlIGludGVudGlvbmFsbHkgbGVmdCBibGFuay4=\n
  -----END RSA PUBLIC KEY-----

  But if you pass OpenSSL a public key that's suitably constructed, it
  will ask for a password.  This applies to public keys as well as
  private keys!

  If this "key" is used in a microdescriptor, an onion service
  descriptor, a relay or bridge descriptor, or anywhere, then OpenSSL
  will pause, and ask for a passphrase.  This blocks Tor, causing a
  denial of service attack. If it causes an onion service or busy client
  to block, this could aid in traffic analysis.

  Tors that are running as a daemon (without a terminal) or inside
  another process may not be vulnerable -- it depends on OpenSSL's
  behavior when it tries to ask for a password.

FIX:

  Everyone affected should upgrade to one of the releases with the fix
  for this issue: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or
  0.3.2.6-alpha.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking