768526 – (CVE-2011-2778) CVE-2011-2778 Tor heap-based buffer overflow

Bug 768526 (CVE-2011-2778) - CVE-2011-2778 Tor heap-based buffer overflow

Summary: CVE-2011-2778 Tor heap-based buffer overflow

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2011-2778
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	885974
Blocks:	885973
TreeView+	depends on / blocked

Reported:	2011-12-16 22:15 UTC by Kurt Seifried
Modified:	2019-09-29 12:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-26 15:13:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2011-12-16 22:15:34 UTC

https://lists.torproject.org/pipermail/tor-talk/2011-December/022379.html

Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered
in 0.2.3.9-alpha.

https://www.torproject.org/download/download

Note that the tarball and git tags are signed by Nick Mathewson (gpg
key 165733EA) this time around.

Changes in version 0.2.3.10-alpha - 2011-12-16
  o Major bugfixes:
    - Fix a heap overflow bug that could occur when trying to pull
      data into the first chunk of a buffer, when that chunk had
      already had some data drained from it. Fixes CVE-2011-2778;
      bugfix on 0.2.0.16-alpha. Reported by "Vektor".

  o Minor bugfixes:
    - If we can't attach streams to a rendezvous circuit when we
      finish connecting to a hidden service, clear the rendezvous
      circuit's stream-isolation state and try to attach streams
      again. Previously, we cleared rendezvous circuits' isolation
      state either too early (if they were freshly built) or not at all
      (if they had been built earlier and were cannibalized). Bugfix on
      0.2.3.3-alpha; fixes bug 4655.
    - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
      0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
    - Fix an assertion failure when a relay with accounting enabled
      starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.

  o Minor features:
    - Update to the December 6 2011 Maxmind GeoLite Country database.

Comment 1 Fedora Update System 2012-01-11 06:15:44 UTC

tor-0.2.2.35-1601.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 2 Kurt Seifried 2012-12-11 08:23:16 UTC

Created tor tracking bugs for this issue

Affects: epel-5 [bug 885974]

Comment 3 Vincent Danen 2013-03-26 15:13:57 UTC

Current EPEL and Fedora provide 0.2.3.25 which includes this fix.

Note You need to log in before you can comment on or make changes to this bug.