diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-05-25 09:27:47 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-05-25 09:27:47 -0400 |
| commit | a3ec811c2ee801bf6dd3d7f65c4997470e807c9d (patch) | |
| tree | 9b53d8af9639cb7ba9a012e9ffc9872ae17d0c7f /changes | |
| parent | 0ef36626ea0b3735d06360fde27100d33f2f5462 (diff) | |
| parent | fdfc528f85c11a1d29b6a67e32180278d1ca7cbb (diff) | |
| download | tor-a3ec811c2ee801bf6dd3d7f65c4997470e807c9d.tar.gz tor-a3ec811c2ee801bf6dd3d7f65c4997470e807c9d.zip | |
Merge branch 'maint-0.2.8'
Diffstat (limited to 'changes')
| -rw-r--r-- | changes/memarea_overflow | 7 | ||||
| -rw-r--r-- | changes/rsa_init_bug | 7 |
2 files changed, 14 insertions, 0 deletions
diff --git a/changes/memarea_overflow b/changes/memarea_overflow new file mode 100644 index 0000000000..8fdc38cc09 --- /dev/null +++ b/changes/memarea_overflow @@ -0,0 +1,7 @@ + o Minor bugfixes (pointer arithmetic): + - Fix a bug in memarea_alloc() that could have resulted in remote heap + write access, if Tor had ever passed an unchecked size to + memarea_alloc(). Fortunately, all the sizes we pass to memarea_alloc() + are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix + on 0.2.1.1-alpha. Bug found by Guido Vranken. + diff --git a/changes/rsa_init_bug b/changes/rsa_init_bug new file mode 100644 index 0000000000..6b5fb4f2f9 --- /dev/null +++ b/changes/rsa_init_bug @@ -0,0 +1,7 @@ + o Major bugfixes (key management): + - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer + to the previous (uninitialized) key value. The impact here should be + limited to a difficult-to-trigger crash, if OpenSSL is running an + engine that makes key generation failures possible, or if OpenSSL runs + out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by + Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. |