Upstream information

CVE-2017-0380 at MITRE

Description

The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is included in an error message about construction of an introduction point circuit.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.3 4.3
Vector AV:N/AC:M/Au:N/C:P/I:N/A:N AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network Network
Access Complexity Medium Medium
Authentication None None
Confidentiality Impact Partial Partial
Integrity Impact None None
Availability Impact None None
CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 5.9 5.9
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Vector Network Network
Access Complexity High High
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact High High
Integrity Impact None None
Availability Impact None None
SUSE Bugzilla entry: 1059194 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.2
  • tor >= 0.2.9.12-8.6.1
  • tor-debuginfo >= 0.2.9.12-8.6.1
  • tor-debugsource >= 0.2.9.12-8.6.1
Patchnames:
openSUSE-2017-1092
openSUSE Leap 42.3
  • tor >= 0.3.0.11-3.1
  • tor-debuginfo >= 0.3.0.11-3.1
  • tor-debugsource >= 0.3.0.11-3.1
Patchnames:
openSUSE-2017-1092