Opened 3 weeks ago

Closed 3 weeks ago

Last modified 2 weeks ago

#22753 closed defect (fixed)

Resolve TROVE-2017-006: Regression in guard family avoidance in 0.3.0 series

Reported by: nickm Owned by: nickm
Priority: High Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords: 030-backport 031-backport tor-client guard-selection
Cc: boklm Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description (last modified by nickm)

In 0.3.0, when I revised the guard selection code, I got the "don't use your exit as first-hop if even if it's your guard" logic right, but I accidentally omitted "don't use anything in the exit's family as a guard."

The impact here is that some circuits will still use a guard on the same circuit as an exit even when the two are in the same family.

(Putting this issue up on the tracker now because knowing about it does not (much) help an attacker exploit it.)

This is TROVE-2017-006 and CVE-2017-0377.

Child Tickets

Change History (10)

comment:1 Changed 3 weeks ago by nickm

  • Component changed from - Select a component to Core Tor/Tor

comment:2 Changed 3 weeks ago by nickm

  • Keywords 030-backport 031-backport added

comment:3 Changed 3 weeks ago by nickm

  • Description modified (diff)
  • Keywords tor-client guard-selection added
  • Points set to 1
  • Priority changed from Medium to High
  • Severity changed from Normal to Major
  • Summary changed from Resolve TROVE-2017-006 to Resolve TROVE-2017-006: Regression in guard family avoidance in 0.3.0 series

comment:4 Changed 3 weeks ago by nickm

  • Owner set to nickm
  • Status changed from new to accepted

comment:5 Changed 3 weeks ago by nickm

  • Status changed from accepted to needs_review

I have a branch, trove-2017-006, for testing. Also available for review at https://oniongit.eu/nickm/tor/merge_requests/2

This is the same as the encrypted patch that I circulated earlier, except that it adds more comments, and a fix for a unit test issue, and adds a regression test.

The branch is based on maint-0.3.0 and should merge forward cleanly.

comment:6 Changed 3 weeks ago by asn

Patch looks good to me.

comment:7 Changed 3 weeks ago by boklm

  • Cc boklm added

comment:8 Changed 3 weeks ago by nickm

  • Milestone changed from Tor: 0.3.2.x-final to Tor: 0.3.0.x-final
  • Resolution set to fixed
  • Status changed from needs_review to closed

Merging.

comment:9 Changed 2 weeks ago by cypherpunks

The changes file and ChangeLog mentions TROVE-2016-006 instead of TROVE-2017-006. Also noticed by nusenu on https://lists.torproject.org/pipermail/tor-talk/2017-June/043299.html.

comment:10 Changed 2 weeks ago by nickm

Thanks! I've fixed this in the appropriate branches, so at least it'll be correct for later record.

Note: See TracTickets for help on using tickets.