[tor-bugs] #22962 [Core Tor/Tor]: Clarify the security severity of issues that make denial of service easier

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 30 13:10:32 UTC 2017

#22962: Clarify the security severity of issues that make denial of service easier
 Reporter:  teor          |          Owner:  nickm
     Type:  task          |         Status:  accepted
 Priority:  Medium        |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  docs policy   |  Actual Points:
Parent ID:  #22948        |         Points:
 Reviewer:                |        Sponsor:  SponsorV

Comment (by nickm):

 I think we should follow the lead of OpenSSL, and split "HIGH" into "HIGH"
 and "CRITICAL".

 Here's my back-of-the-envelope attempt to do the division, of the
 categories currently in "HIGH".

 These should be "HIGH":
     Any remote crash attack against hidden services. (This includes
 unfreed memory and other resource exhaustion attacks that can lead to
     Any memory-disclosure vulnerability.

 These should be "CRITICAL":
     Any bug that can remotely cause clients to de-anonymize themselves.
     Any remote code-execution vulnerability.
     Any bug that allows impersonation of a relay. (If someone accesses a
 relay's keys, and it's not due to a bug in tor, we deal with that through
 the bad-relays process.)
     Any bug that lets non-exit relays get at user plaintext.
     Any privilege escalation from a Tor user to the higher-privileged user
 that started the Tor process. (For example, if Tor is started by root and
 told to drop privileges with the User flag, any ability to regain root
 privileges would be high-severity.)

 And I think we should be more explicit that we may revise severities
 upwards or downwards depending on specifics of the issue.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22962#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list