[tor-commits] [tor/master] explain that bug 5090 allows a post-auth heap overflow
arma at torproject.org
arma at torproject.org
Mon Mar 26 03:10:29 UTC 2012
commit bca8bf62c6683374321cd2a306b6455e441661b9
Author: Roger Dingledine <arma at torproject.org>
Date: Sun Mar 25 23:09:23 2012 -0400
explain that bug 5090 allows a post-auth heap overflow
resolves bug 5402.
---
ChangeLog | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5de4d63..a6dc608 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,8 +43,11 @@ Changes in version 0.2.3.13-alpha - 2012-03-1?
- Detect and reject certain misformed escape sequences in
configuration values. Previously, these values would cause us
to crash if received in a torrc file or over an (authenticated)
- control port. Bug found by Esteban Manchado Velázquez. Patch by
- "flupzor". Fixes bug 5090; bugfix on 0.2.0.16-alpha.
+ control port. Bug found by Esteban Manchado Velázquez, and
+ independently by Robert Connolly from Matta Consulting who further
+ noted that it allows a post-authentication heap overflow. Patch
+ by "flupzor". Fixes bugs 5090 and 5402 (CVE 2012-1668); bugfix
+ on 0.2.0.16-alpha.
- Ensure that variables set in Tor's environment cannot override
environment variables which Tor tries to pass to a managed
pluggable-transport proxy. Previously, Tor would pass every
More information about the tor-commits
mailing list