Opened 14 months ago

Closed 14 months ago

Last modified 10 months ago

#20384 closed defect (fixed)

TROVE-2016-10-001: out-of-bounds read on buffer chunks

Reported by: nickm Owned by:
Priority: Very High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: teor Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

Placeholder ticket; see #20383 for "TROVE" backronym. Fix should go out in 0.2.9.4-alpha in the next 48 hours. Severity is "Medium".

This is fixed in 0.2.8.9 and 0.2.9.4-alpha. The changelog says:

  Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor
  that would allow a remote attacker to crash a Tor client, hidden
  service, relay, or authority. All Tor users should upgrade to this
  version, or to 0.2.8.9. Patches will be released for older versions
  of Tor.

  o Major features (security fixes):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

Child Tickets

Attachments (1)

tor_20384.tar.gpg (3.5 KB) - added by nickm 14 months ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 14 months ago by nickm

Description: modified (diff)
Resolution: fixed
Status: newclosed
Summary: TROVE-2016-10-001TROVE-2016-10-001: out-of-bounds read on buffer chunks

comment:2 Changed 14 months ago by nickm

I am attaching a tarball of patches for older versions.

Changed 14 months ago by nickm

Attachment: tor_20384.tar.gpg added

comment:3 Changed 14 months ago by nickm

The attached tarball is gpg-signed with my older key and my newer key. It has patches for 0.2.4, 0.2.5, and 0.2.6. The 0.2.6 patch should also apply cleanly to 0.2.7.

comment:4 Changed 14 months ago by cypherpunks

Resolution: fixed
Status: closedreopened

Can we get new releases instead of just patches for 0.2.4, 0.2.5 and 0.2.7?

Otherwise we would have troubles cleanly implementing #20431

comment:5 Changed 14 months ago by cypherpunks

Resolution: fixed
Status: reopenedclosed

comment:6 Changed 12 months ago by nickm

(Now merged to 0.2.4 and forward.)

comment:7 Changed 10 months ago by nickm

Milestone: Tor: 0.2.9.x-finalTor: 0.2.4.x-final

(The underlying issue is tracked at #20894)

comment:8 Changed 10 months ago by arma

Fyi, I merged a changes entry to 0.2.[4567] so we are sure to remember to include it in the upcoming changelogs.

Note: See TracTickets for help on using tickets.