[tor-bugs] #22962 [Core Tor/Tor]: Clarify the security severity of issues that make denial of service easier
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 30 13:10:32 UTC 2017
#22962: Clarify the security severity of issues that make denial of service easier
--------------------------+------------------------------------
Reporter: teor | Owner: nickm
Type: task | Status: accepted
Priority: Medium | Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: docs policy | Actual Points:
Parent ID: #22948 | Points:
Reviewer: | Sponsor: SponsorV
--------------------------+------------------------------------
Comment (by nickm):
I think we should follow the lead of OpenSSL, and split "HIGH" into "HIGH"
and "CRITICAL".
Here's my back-of-the-envelope attempt to do the division, of the
categories currently in "HIGH".
These should be "HIGH":
Any remote crash attack against hidden services. (This includes
unfreed memory and other resource exhaustion attacks that can lead to
denial-of-service.)
Any memory-disclosure vulnerability.
These should be "CRITICAL":
Any bug that can remotely cause clients to de-anonymize themselves.
Any remote code-execution vulnerability.
Any bug that allows impersonation of a relay. (If someone accesses a
relay's keys, and it's not due to a bug in tor, we deal with that through
the bad-relays process.)
Any bug that lets non-exit relays get at user plaintext.
Any privilege escalation from a Tor user to the higher-privileged user
that started the Tor process. (For example, if Tor is started by root and
told to drop privileges with the User flag, any ability to regain root
privileges would be high-severity.)
And I think we should be more explicit that we may revise severities
upwards or downwards depending on specifics of the issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22962#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list