[tor-bugs] #33619 [Core Tor/Tor]: Resolve TROVE-2020-004

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 17 18:14:50 UTC 2020


#33619: Resolve TROVE-2020-004
-------------------------------------------------+-------------------------
 Reporter:  nickm                                |          Owner:  (none)
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.1.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:  041-backport 042-backport            |  Actual Points:  1
  043-backport                                   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):

 * status:  new => closed
 * actualpoints:   => 1
 * milestone:  Tor: 0.4.4.x-final => Tor: 0.4.1.x-final
 * keywords:   => 041-backport 042-backport 043-backport
 * resolution:   => fixed


Old description:



New description:

 This is a remotely triggerable memory leak on relays and clients, found by
 tobias pulls.

 The issue is that when circpad_setup_machine_on_circ() is reached with an
 inconsistent internal configuration, it fails to free an object that is
 replaced.  It logs a bug warning, but that isn't enough.

 Tobias Pulls found that this code was actually reachable, though, and
 results in a memory leak.

--

Comment:

 We fix this in 78bcfc1280b322ba57a10a116457616eeb742ab6, with a fix that
 avoids the memory leak and prevents us from spamming the logs.  It does
 not fix the underlying issue where the code that wasn't supposed to be
 reachable is actually reached.

 This is a "medium" severity issue, and is also tracked as CVE-2020-10593.

 This fix has been merged to all ''supported'' affected releases (0.4.1.x
 and later).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33619#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list