Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#20384 closed defect (fixed)

TROVE-2016-10-001: out-of-bounds read on buffer chunks

Reported by: nickm Owned by:
Priority: Very High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: teor Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

Placeholder ticket; see #20383 for "TROVE" backronym. Fix should go out in in the next 48 hours. Severity is "Medium".

This is fixed in and The changelog says:

  Tor fixes a security hole in previous versions of Tor
  that would allow a remote attacker to crash a Tor client, hidden
  service, relay, or authority. All Tor users should upgrade to this
  version, or to Patches will be released for older versions
  of Tor.

  o Major features (security fixes):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

Child Tickets

Attachments (1)

tor_20384.tar.gpg (3.5 KB) - added by nickm 4 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 4 years ago by nickm

Description: modified (diff)
Resolution: fixed
Status: newclosed
Summary: TROVE-2016-10-001TROVE-2016-10-001: out-of-bounds read on buffer chunks

comment:2 Changed 4 years ago by nickm

I am attaching a tarball of patches for older versions.

Changed 4 years ago by nickm

Attachment: tor_20384.tar.gpg added

comment:3 Changed 4 years ago by nickm

The attached tarball is gpg-signed with my older key and my newer key. It has patches for 0.2.4, 0.2.5, and 0.2.6. The 0.2.6 patch should also apply cleanly to 0.2.7.

comment:4 Changed 4 years ago by cypherpunks

Resolution: fixed
Status: closedreopened

Can we get new releases instead of just patches for 0.2.4, 0.2.5 and 0.2.7?

Otherwise we would have troubles cleanly implementing #20431

comment:5 Changed 4 years ago by cypherpunks

Resolution: fixed
Status: reopenedclosed

comment:6 Changed 3 years ago by nickm

(Now merged to 0.2.4 and forward.)

comment:7 Changed 3 years ago by nickm

Milestone: Tor: 0.2.9.x-finalTor: 0.2.4.x-final

(The underlying issue is tracked at #20894)

comment:8 Changed 3 years ago by arma

Fyi, I merged a changes entry to 0.2.[4567] so we are sure to remember to include it in the upcoming changelogs.

Note: See TracTickets for help on using tickets.