製品・ソフトウェアに関する情報

JVN脆弱性詳細

Tor におけるバッファエラーの脆弱性

Title	Tor におけるバッファエラーの脆弱性
Summary	Tor には、バッファエラーの脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 19, 2017, midnight
Registration Date	Jan. 11, 2018, 5 p.m.
Last Update	Jan. 11, 2018, 5 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

Debian

Debian GNU/Linux 8.0

Debian GNU/Linux 9.0

Fedora Project

Fedora 24

Fedora 25

openSUSE project

openSUSE 13.2

openSUSE Leap 42.1

openSUSE Leap 42.2

The Tor Project

Tor 0.2.8.12 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-1254	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1254
National Vulnerability Database (NVD)
2	CVE-2016-1254	https://nvd.nist.gov/vuln/detail/CVE-2016-1254

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3741	https://www.debian.org/security/2016/dsa-3741
Fedora Update Notification
2	FEDORA-2016-76b646637e	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXOJSMCTIOHLBRYFBVEL3CDLGPZXX6WE/
3	FEDORA-2016-95b4e9077e	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTU2R253477RZLYAJAR5DAXAON7KIVLA/
opensuse-updates
4	openSUSE-SU-2016:3281	https://lists.opensuse.org/opensuse-updates/2016-12/msg00154.html
5	openSUSE-SU-2016:3282	https://lists.opensuse.org/opensuse-updates/2016-12/msg00155.html
Tor
6	commit (d978216dea6b21ac38230a59d172139185a68dbd)	https://gitweb.torproject.org/tor.git/commit/?id=d978216dea6b21ac38230a59d172139185a68dbd
Tor Blog
7	Tor 0.2.8.12 is released	https://blog.torproject.org/blog/tor-02812-released
trac
8	TROVE-2016-12-002: read one byte past end of buffer in get_token()	https://trac.torproject.org/projects/tor/ticket/21018

Change Log

No	Changed Details	Date of change
0	[2018年01月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-1254

Summary	Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor.
Publication Date	Dec. 6, 2017, 1:29 a.m.
Registration Date	Jan. 26, 2021, 2:07 p.m.
Last Update	Nov. 21, 2024, 11:46 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:torproject:tor::::::::					0.2.8.12

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:opensuse_project:leap:42.1:::::::*
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:fedoraproject:fedora:25:::::::*
cpe:2.3:o:fedoraproject:fedora:24:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:opensuse:leap:42.2:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2016-12/msg00154.html	Third Party Advisory
2	http://lists.opensuse.org/opensuse-updates/2016-12/msg00154.html	Third Party Advisory
3	http://lists.opensuse.org/opensuse-updates/2016-12/msg00155.html	Third Party Advisory
4	http://lists.opensuse.org/opensuse-updates/2016-12/msg00155.html	Third Party Advisory
5	https://blog.torproject.org/blog/tor-02812-released	Vendor Advisory
6	https://blog.torproject.org/blog/tor-02812-released	Vendor Advisory
7	https://gitweb.torproject.org/tor.git/commit/?id=d978216dea6b21ac38230a59d172139185a68dbd	Patch Vendor Advisory
8	https://gitweb.torproject.org/tor.git/commit/?id=d978216dea6b21ac38230a59d172139185a68dbd	Patch Vendor Advisory
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FXOJSMCTIOHLBRYFBVEL3CDLGPZXX6WE/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FXOJSMCTIOHLBRYFBVEL3CDLGPZXX6WE/
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTU2R253477RZLYAJAR5DAXAON7KIVLA/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTU2R253477RZLYAJAR5DAXAON7KIVLA/
13	https://trac.torproject.org/projects/tor/ticket/21018	Issue Tracking Vendor Advisory
14	https://trac.torproject.org/projects/tor/ticket/21018	Issue Tracking Vendor Advisory
15	https://www.debian.org/security/2016/dsa-3741	Third Party Advisory
16	https://www.debian.org/security/2016/dsa-3741	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:opensuse_project:leap:42.1:::::::*
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:fedoraproject:fedora:25:::::::*
cpe:2.3:o:fedoraproject:fedora:24:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:opensuse:leap:42.2:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*