Resolve TROVE-2020-001 (denial-of-service against Tor built with NSS)

TROVE-2020-001 is a denial of service issue that affects Tor users running versions of Tor built with NSS. (Building with NSS is not the default.)

When running an affected version of Tor, either as a relay or a client, Tor will crash under certain circumstances when performing a certificate comparison during our connection handshake. Any party who performs a handshake with a Tor instance can remotely trigger this bug: this means that anybody can crash an affected relay remotely, while affected clients can be crashed by their guards.

The root cause is an out-of-bounds comparison due to an API mismatch -- NSS was telling us a number of bits, but we were expecting it to tell us a number of bytes.

This issue affects all supported versions when they are compiled with NSS. A fix will appear in today's releases (0.3.5.11, 0.4.2.8, 0.4.3.6, and 0.4.4.2-alpha).

This is also tracked as CVE-2020-15572

Edited Jul 09, 2020 by Nick Mathewson

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information