[tor-bugs] #8976 [Tor]: rend_service_introduce() doesn't notice if the rendezvous point is on 127.0.0.1
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 30 12:09:30 UTC 2016
#8976: rend_service_introduce() doesn't notice if the rendezvous point is on
127.0.0.1
--------------------+------------------------------------
Reporter: arma | Owner: teor
Type: defect | Status: closed
Priority: Medium | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.3.21-rc
Severity: Normal | Resolution: fixed
Keywords: tor-hs | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: SponsorR-must
--------------------+------------------------------------
Changes (by teor):
* keywords: tor-hs 027-backport => tor-hs
* status: needs_review => closed
* resolution: => fixed
Comment:
Replying to [comment:25 andrea]:
> Eh, backporting always does carry a small but non-zero risk of new bugs
in the old branch, though - it's trading off two different versions of
'safe' rather than a question of 'better safe than sorry'. I think my
preferred standard is something more like "plausibly exploitable, or fixes
a crash/assert/memory leak level bug"
Fair enough - you have more experience with this than I do.
By that standard, I can't see a plausible way to exploit this - the
rendezvous protocol already allows client-specified rendezvous points.
It's a slight waste of resources, but that's not important enough.
It's also worth noting that this has just been merged, so it's not
received much testing in the alpha series. So the risk of introducing an
unintentional bug is higher.
Closing as "don't backport".
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8976#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list