Opened 5 months ago

Closed 5 months ago

Last modified 5 months ago

#22753 closed defect (fixed)

Resolve TROVE-2017-006: Regression in guard family avoidance in 0.3.0 series

Reported by: nickm Owned by: nickm
Priority: High Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords: 030-backport 031-backport tor-client guard-selection
Cc: boklm Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description (last modified by nickm)

In 0.3.0, when I revised the guard selection code, I got the "don't use your exit as first-hop if even if it's your guard" logic right, but I accidentally omitted "don't use anything in the exit's family as a guard."

The impact here is that some circuits will still use a guard on the same circuit as an exit even when the two are in the same family.

(Putting this issue up on the tracker now because knowing about it does not (much) help an attacker exploit it.)

This is TROVE-2017-006 and CVE-2017-0377.

Child Tickets

Change History (10)

comment:1 Changed 5 months ago by nickm

Component: - Select a componentCore Tor/Tor

comment:2 Changed 5 months ago by nickm

Keywords: 030-backport 031-backport added

comment:3 Changed 5 months ago by nickm

Description: modified (diff)
Keywords: tor-client guard-selection added
Points: 1
Priority: MediumHigh
Severity: NormalMajor
Summary: Resolve TROVE-2017-006Resolve TROVE-2017-006: Regression in guard family avoidance in 0.3.0 series

comment:4 Changed 5 months ago by nickm

Owner: set to nickm
Status: newaccepted

comment:5 Changed 5 months ago by nickm

Status: acceptedneeds_review

I have a branch, trove-2017-006, for testing. Also available for review at https://oniongit.eu/nickm/tor/merge_requests/2

This is the same as the encrypted patch that I circulated earlier, except that it adds more comments, and a fix for a unit test issue, and adds a regression test.

The branch is based on maint-0.3.0 and should merge forward cleanly.

comment:6 Changed 5 months ago by asn

Patch looks good to me.

comment:7 Changed 5 months ago by boklm

Cc: boklm added

comment:8 Changed 5 months ago by nickm

Milestone: Tor: 0.3.2.x-finalTor: 0.3.0.x-final
Resolution: fixed
Status: needs_reviewclosed

Merging.

comment:9 Changed 5 months ago by cypherpunks

The changes file and ChangeLog mentions TROVE-2016-006 instead of TROVE-2017-006. Also noticed by nusenu on https://lists.torproject.org/pipermail/tor-talk/2017-June/043299.html.

comment:10 Changed 5 months ago by nickm

Thanks! I've fixed this in the appropriate branches, so at least it'll be correct for later record.

Note: See TracTickets for help on using tickets.