diff --git a/changes/bug24313 b/changes/bug24313
new file mode 100644
index 0000000000..b927ec3ba6
--- /dev/null
+++ b/changes/bug24313
@@ -0,0 +1,5 @@
+ o Major bugfixes (security, hidden service v2):
+ - Fix a use-after-free error that could crash v2 Tor hidden services
+ when it failed to open circuits while expiring introductions
+ points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This
+ issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
diff --git a/changes/trove-2017-009 b/changes/trove-2017-009
new file mode 100644
index 0000000000..166a5faec6
--- /dev/null
+++ b/changes/trove-2017-009
@@ -0,0 +1,10 @@
+ o Major bugfixes (security):
+ - When checking for replays in the INTRODUCE1 cell data for a (legacy)
+ hiddden service, correctly detect replays in the RSA-encrypted part of
+ the cell. We were previously checking for replays on the entire cell,
+ but those can be circumvented due to the malleability of Tor's legacy
+ hybrid encryption. This fix helps prevent a traffic confirmation
+ attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also
+ tracked as TROVE-2017-009 and CVE-2017-8819.
+
+
diff --git a/changes/trove-2017-010 b/changes/trove-2017-010
new file mode 100644
index 0000000000..d5bf9333da
--- /dev/null
+++ b/changes/trove-2017-010
@@ -0,0 +1,6 @@
+ o Major bugfixes (security):
+ - Fix a denial-of-service issue where an attacker could crash
+ a directory authority using a malformed router descriptor.
+ Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked
+ as TROVE-2017-010 and CVE-2017-8820.
+
diff --git a/changes/trove-2017-011 b/changes/trove-2017-011
new file mode 100644
index 0000000000..82d20d9e78
--- /dev/null
+++ b/changes/trove-2017-011
@@ -0,0 +1,8 @@
+ o Major bugfixes (security):
+ - Fix a denial of service bug where an attacker could use a malformed
+ directory object to cause a Tor instance to pause while OpenSSL would
+ try to read a passphrase from the terminal. (If the terminal was not
+ available, tor would continue running.) Fixes bug 24246; bugfix on
+ every version of Tor. Also tracked as TROVE-2017-011 and
+ CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
+
diff --git a/changes/trove-2017-012-part1 b/changes/trove-2017-012-part1
new file mode 100644
index 0000000000..9fccc2cf65
--- /dev/null
+++ b/changes/trove-2017-012-part1
@@ -0,0 +1,6 @@
+ o Major bugfixes (security, relay):
+ - When running as a relay, make sure that we never build a path through
+ ourselves, even in the case where we have somehow lost the version of
+ our descriptor appearing in the consensus. Fixes part of bug 21534;
+ bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
+ and CVE-2017-8822.
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 7cb3330bde..d1357182d2 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -645,11 +645,21 @@ MOCK_IMPL(int,
return 0;
}
+/** A PEM callback that always reports a failure to get a password */
+static int
+pem_no_password_cb(char *buf, int size, int rwflag, void *u)
+{
+ (void)buf;
+ (void)size;
+ (void)rwflag;
+ (void)u;
+ return 0;
+}
+
/** Read a PEM-encoded private key from the len-byte string s
* into env. Return 0 on success, -1 on failure. If len is -1,
* the string is nul-terminated.
*/
-/* Used here, and used for testing. */
int
crypto_pk_read_private_key_from_string(crypto_pk_t *env,
const char *s, ssize_t len)
@@ -668,7 +678,7 @@ crypto_pk_read_private_key_from_string(crypto_pk_t *env,
if (env->key)
RSA_free(env->key);
- env->key = PEM_read_bio_RSAPrivateKey(b,NULL,NULL,NULL);
+ env->key = PEM_read_bio_RSAPrivateKey(b,NULL,pem_no_password_cb,NULL);
BIO_free(b);
@@ -800,7 +810,7 @@ crypto_pk_read_public_key_from_string(crypto_pk_t *env, const char *src,
if (env->key)
RSA_free(env->key);
- env->key = PEM_read_bio_RSAPublicKey(b, NULL, NULL, NULL);
+ env->key = PEM_read_bio_RSAPublicKey(b, NULL, pem_no_password_cb, NULL);
BIO_free(b);
if (!env->key) {
crypto_log_errors(LOG_WARN, "reading public key from string");
diff --git a/src/or/protover.c b/src/or/protover.c
index 88d549ab35..c76f028699 100644
--- a/src/or/protover.c
+++ b/src/or/protover.c
@@ -694,6 +694,11 @@ protocol_list_contains(const smartlist_t *protos,
const char *
protover_compute_for_old_tor(const char *version)
{
+ if (version == NULL) {
+ /* No known version; guess the oldest series that is still supported. */
+ version = "0.2.5.15";
+ }
+
if (tor_version_as_new_as(version,
FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS)) {
return "";
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 8087e88499..67a94f7021 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1879,6 +1879,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
time_t now = time(NULL);
time_t elapsed;
int replay;
+ size_t keylen;
/* Do some initial validation and logging before we parse the cell */
if (circuit->base_.purpose != CIRCUIT_PURPOSE_S_INTRO) {
@@ -1953,9 +1954,10 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
}
/* check for replay of PK-encrypted portion. */
+ keylen = crypto_pk_keysize(intro_key);
replay = replaycache_add_test_and_elapsed(
intro_point->accepted_intro_rsa_parts,
- parsed_req->ciphertext, parsed_req->ciphertext_len,
+ parsed_req->ciphertext, MIN(parsed_req->ciphertext_len, keylen),
&elapsed);
if (replay) {
@@ -3974,6 +3976,10 @@ remove_invalid_intro_points(rend_service_t *service,
log_info(LD_REND, "Expiring %s as intro point for %s.",
safe_str_client(extend_info_describe(intro->extend_info)),
safe_str_client(service->service_id));
+ /* We might have put it in the retry list if so, undo. */
+ if (retry_nodes) {
+ smartlist_remove(retry_nodes, intro);
+ }
smartlist_add(service->expiring_nodes, intro);
SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
/* Intro point is expired, we need a new one thus don't consider it
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index b68db750c3..83e513448d 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -2820,7 +2820,10 @@ router_choose_random_node(smartlist_t *excludedsmartlist,
});
}
- if ((r = routerlist_find_my_routerinfo()))
+ /* If the node_t is not found we won't be to exclude ourself but we
+ * won't be able to pick ourself in router_choose_random_node() so
+ * this is fine to at least try with our routerinfo_t object. */
+ if ((r = router_get_my_routerinfo()))
routerlist_add_node_and_family(excludednodes, r);
router_add_running_nodes_to_smartlist(sl, allow_invalid,