CVE-2018-0490: Null Pointer Dereference
First published: Mon Mar 05 2018(Updated: )
An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/tor | 0.3.5.16-1 0.3.5.16-1+deb10u1 0.4.5.16-1 0.4.7.13-1 0.4.8.7-1 | |
| Torproject Tor | <=0.2.9.14 | |
| Torproject Tor | >=0.3.1.7<=0.3.1.9 | |
| Torproject Tor | =0.3.1.1-alpha | |
| Torproject Tor | =0.3.1.2-alpha | |
| Torproject Tor | =0.3.1.3-alpha | |
| Torproject Tor | =0.3.1.4-alpha | |
| Torproject Tor | =0.3.1.5-alpha | |
| Torproject Tor | =0.3.1.6-rc | |
| Torproject Tor | =0.3.2.1-alpha | |
| Torproject Tor | =0.3.2.2-alpha | |
| Torproject Tor | =0.3.2.3-alpha | |
| Torproject Tor | =0.3.2.4-alpha | |
| Torproject Tor | =0.3.2.5-alpha | |
| Torproject Tor | =0.3.2.6-alpha | |
| Torproject Tor | =0.3.2.7-rc | |
| Torproject Tor | =0.3.2.8-rc | |
| Torproject Tor | =0.3.2.9 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://trac.torproject.org/projects/tor/ticket/25074
- https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915
- https://gitweb.torproject.org/tor.git/commit/?id=65f2eec694f18a64291cc85317b9f22dacc1d8e4
- https://security-tracker.debian.org/tracker/CVE-2018-0490
- https://www.debian.org/security/2018/dsa-4183
Frequently Asked Questions
What is CVE-2018-0490?
CVE-2018-0490 is a vulnerability in Tor that allows remote attackers to cause a denial of service via a misformatted protocol-list subprotocol implementation, resulting in a NULL pointer dereference and directory-authority crash.
What is the severity of CVE-2018-0490?
The severity of CVE-2018-0490 is high, with a CVSS score of 7.5.
How does CVE-2018-0490 impact Tor?
CVE-2018-0490 can cause a denial of service, leading to a crash of the Tor directory authority.
How can I fix CVE-2018-0490?
To fix CVE-2018-0490, it is recommended to update Tor to version 0.3.5.16-1 or later.
Where can I find more information about CVE-2018-0490?
You can find more information about CVE-2018-0490 in the Tor Project's ticket and blog post, as well as the Git commit related to the vulnerability.
- collector/security-tracker-debian
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/weakness
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/torproject
- canonical/torproject tor
- version/torproject tor/0.2.9.14
- version/torproject tor/0.3.1.7
- version/torproject tor/0.3.1.9
- version/torproject tor/0.3.1.1-alpha
- version/torproject tor/0.3.1.2-alpha
- version/torproject tor/0.3.1.3-alpha
- version/torproject tor/0.3.1.4-alpha
- version/torproject tor/0.3.1.5-alpha
- version/torproject tor/0.3.1.6-rc
- version/torproject tor/0.3.2.1-alpha
- version/torproject tor/0.3.2.2-alpha
- version/torproject tor/0.3.2.3-alpha
- version/torproject tor/0.3.2.4-alpha
- version/torproject tor/0.3.2.5-alpha
- version/torproject tor/0.3.2.6-alpha
- version/torproject tor/0.3.2.7-rc
- version/torproject tor/0.3.2.8-rc
- version/torproject tor/0.3.2.9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0