| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2016-12-20 | Add a one-word sentinel value of 0x0 at the end of each buf_t chunk | Nick Mathewson | |
| This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input. It also closes TROVE-2016-10-001 (aka bug 20384). | |||
| 2016-12-20 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| ("ours" merge because there is a separate 20384 patch for 026) | |||
| 2016-12-20 | Add a one-word sentinel value of 0x0 at the end of each buf_t chunk | Nick Mathewson | |
| This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input. | |||
| 2016-12-20 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| (ours merge -- there is a separate 0.2.5 patch for 20384.) | |||
| 2016-12-20 | Add a one-word sentinel value of 0x0 at the end of each buf_t chunk | Nick Mathewson | |
| This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input. | |||
| 2016-12-20 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-12-20 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-12-20 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-12-18 | Make log message warn about detected attempts to exploit 21018. | Nick Mathewson | |
| 2016-12-18 | Fix parsing bug with unecognized token at EOS | Nick Mathewson | |
| In get_token(), we could read one byte past the end of the region. This is only a big problem in the case where the region itself is (a) potentially hostile, and (b) not explicitly nul-terminated. This patch fixes the underlying bug, and also makes sure that the one remaining case of not-NUL-terminated potentially hostile data gets NUL-terminated. Fix for bug 21018, TROVE-2016-12-002, and CVE-2016-1254 | |||
| 2016-12-09 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-12-09 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-12-09 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-12-09 | Update geoip and geoip6 to the December 7 2016 database. | Karsten Loesing | |
| 2016-11-07 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-11-07 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-11-07 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-11-07 | Update geoip and geoip6 to the November 3 2016 database. | Karsten Loesing | |
| 2016-10-06 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-10-06 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-10-06 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-10-05 | Update geoip and geoip6 to the October 6 2016 database. | Karsten Loesing | |
| 2016-09-07 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-09-07 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-09-07 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-09-07 | Update geoip and geoip6 to the September 6 2016 database. | Karsten Loesing | |
| 2016-08-24 | Changes file for bifroest | Nick Mathewson | |
| 2016-08-24 | Replace Tonga with Bifroest. | Isis Lovecruft | |
| * FIXES #19728: https://bugs.torproject.org/19728 * CLOSES #19690: https://bugs.torproject.org/19690 | |||
| 2016-08-12 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-08-12 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-08-12 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-08-12 | Update geoip and geoip6 to the August 2 2016 database. | Karsten Loesing | |
| 2016-07-19 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-07-19 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-07-19 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-07-18 | Update geoip and geoip6 to the July 6 2016 database. | Karsten Loesing | |
| 2016-07-05 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-07-05 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-07-05 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-07-05 | whoops. changelog file for 19271. | Nick Mathewson | |
| 2016-07-05 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-07-05 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-07-05 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-07-03 | Remove urras as a default trusted directory authority | Sebastian Hahn | |
| It had been a directory authority since 0.2.1.20. | |||
| 2016-06-13 | Merge branch 'maint-0.2.6' into maint-0.2.7 | Nick Mathewson | |
| 2016-06-13 | Merge branch 'maint-0.2.5' into maint-0.2.6 | Nick Mathewson | |
| 2016-06-13 | Merge branch 'maint-0.2.4' into maint-0.2.5 | Nick Mathewson | |
| 2016-06-12 | Update geoip and geoip6 to the June 7 2016 database. | Karsten Loesing | |
| 2016-06-02 | Use tor_sscanf, not sscanf, in test_util.c. | Nick Mathewson | |
| Fixes the 0.2.7 case of bug #19213, which prevented mingw64 from working. | |||
| 2016-05-25 | Fix a dangling pointer issue in our RSA keygen code | Nick Mathewson | |
| If OpenSSL fails to generate an RSA key, do not retain a dangling pointer to the previous (uninitialized) key value. The impact here should be limited to a difficult-to-trigger crash, if OpenSSL is running an engine that makes key generation failures possible, or if OpenSSL runs out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. This is potentially scary stuff, so let me walk through my analysis. I think this is a bug, and a backport candidate, but not remotely triggerable in any useful way. Observation 1a: Looking over the OpenSSL code here, the only way we can really fail in the non-engine case is if malloc() fails. But if malloc() is failing, then tor_malloc() calls should be tor_asserting -- the only way that an attacker could do an exploit here would be to figure out some way to make malloc() fail when openssl does it, but work whenever Tor does it. (Also ordinary malloc() doesn't fail on platforms like Linux that overcommit.) Observation 1b: Although engines are _allowed_ to fail in extra ways, I can't find much evidence online that they actually _do_ fail in practice. More evidence would be nice, though. Observation 2: We don't call crypto_pk_generate*() all that often, and we don't do it in response to external inputs. The only way to get it to happen remotely would be by causing a hidden service to build new introduction points. Observation 3a: So, let's assume that both of the above observations are wrong, and the attacker can make us generate a crypto_pk_env_t with a dangling pointer in its 'key' field, and not immediately crash. This dangling pointer will point to what used to be an RSA structure, with the fields all set to NULL. Actually using this RSA structure, before the memory is reused for anything else, will cause a crash. In nearly every function where we call crypto_pk_generate*(), we quickly use the RSA key pointer -- either to sign something, or to encode the key, or to free the key. The only exception is when we generate an intro key in rend_consider_services_intro_points(). In that case, we don't actually use the key until the intro circuit is opened -- at which point we encode it, and use it to sign an introduction request. So in order to exploit this bug to do anything besides crash Tor, the attacker needs to make sure that by the time the introduction circuit completes, either: * the e, d, and n BNs look valid, and at least one of the other BNs is still NULL. OR * all 8 of the BNs must look valid. To look like a valid BN, *they* all need to have their 'top' index plus their 'd' pointer indicate an addressable region in memory. So actually getting useful data of of this, rather than a crash, is going to be pretty damn hard. You'd have to force an introduction point to be created (or wait for one to be created), and force that particular crypto_pk_generate*() to fail, and then arrange for the memory that the RSA points to to in turn point to 3...8 valid BNs, all by the time the introduction circuit completes. Naturally, the signature won't check as valid [*], so the intro point will reject the ESTABLISH_INTRO cell. So you need to _be_ the introduction point, or you don't actually see this information. [*] Okay, so if you could somehow make the 'rsa' pointer point to a different valid RSA key, then you'd get a valid signature of an ESTABLISH_INTRO cell using a key that was supposed to be used for something else ... but nothing else looks like that, so you can't use that signature elsewhere. Observation 3b: Your best bet as an attacker would be to make the dangling RSA pointer actually contain a fake method, with a fake RSA_private_encrypt function that actually pointed to code you wanted to execute. You'd still need to transit 3 or 4 pointers deep though in order to make that work. Conclusion: By 1, you probably can't trigger this without Tor crashing from OOM. By 2, you probably can't trigger this reliably. By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty big array of hoops in order to get any kind of data leak or code execution. So I'm calling it a bug, but not a security hole. Still worth patching. | |||
 |
index : tor | |
| Transit encryption and privacy out of the box | The Tor Project |
| aboutsummaryrefslogtreecommitdiff |