[tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 9 02:58:19 UTC 2014
#12227: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
---------------------------+-------------------------------------
Reporter: starlight | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version: Tor: 0.2.4.22
Resolution: | Keywords: tor-client 024-backport
Actual Points: | Parent ID:
Points: |
---------------------------+-------------------------------------
Comment (by nickm):
Replying to [comment:4 nickm]:
> The SSLv23_method() call is later modified by the SSL_OP_NO_SSLv2 flag.
Also: Using SSLv3_method() for our SSL objects would mean (IIUC) no TLS1;
and using TLSv1_method() would mean no accepting SSLv3. ISTR we had a
ticket about that long ago.
But IIUC, using SSLv3_method() or TLSv1_method() in
prune_v2_cipher_lists() would seem to be a fine thing to do.
Replying to [comment:5 cypherpunks]:
>get_cipher_by_char for SSLv23 is wrong and shouldn't be used. It messes
bytes and the same bytes shifts differently inside of cipher id.
Can we just switch prune_v2_cipher_list() to use SSLv3_method or
TLSv1_method() ? It looks to me like that would work, but it's late, my
brain is tired, and I haven't tested it yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12227#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list