[tor-talk] Tor is out (security fix)

Roger Dingledine arma at mit.edu
Fri Dec 16 18:06:14 UTC 2011

Tor fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered


Note that the tarball and git tags are signed by Nick Mathewson (gpg
key 165733EA) this time around.

Changes in version - 2011-12-16
  o Major bugfixes:
    - Fix a heap overflow bug that could occur when trying to pull
      data into the first chunk of a buffer, when that chunk had
      already had some data drained from it. Fixes CVE-2011-2778;
      bugfix on Reported by "Vektor".

  o Minor bugfixes:
    - If we can't attach streams to a rendezvous circuit when we
      finish connecting to a hidden service, clear the rendezvous
      circuit's stream-isolation state and try to attach streams
      again. Previously, we cleared rendezvous circuits' isolation
      state either too early (if they were freshly built) or not at all
      (if they had been built earlier and were cannibalized). Bugfix on; fixes bug 4655.
    - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on; fixes bug 4691. Reported by Anthony G. Basile.
    - Fix an assertion failure when a relay with accounting enabled
      starts up while dormant. Fixes bug 4702; bugfix on

  o Minor features:
    - Update to the December 6 2011 Maxmind GeoLite Country database.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111216/55546e20/attachment.pgp>

More information about the tor-talk mailing list