[tor-commits] [tor/master] Changelog and blurb for 0.2.3.10-alpha

nickm at torproject.org nickm at torproject.org
Fri Dec 16 16:59:38 UTC 2011 

commit a7b5e72463f2cc1bb7beac3aa7cd375779ae0984
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Dec 15 11:59:09 2011 -0500

    Changelog and blurb for 0.2.3.10-alpha
---
 ChangeLog          |   29 ++++++++++++++++++++++++++---
 changes/buffer_bug |    7 -------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2fe0711..c01539c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,30 @@
-Changes in version 0.2.3.10-alpha - 201?-??-??
+Changes in version 0.2.3.10-alpha - 2011-12-16
+  Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in Tor's
+  buffers code. Absolutely everybody should upgrade.
+
+  The bug relied on an incorrect calculation when making data continuous
+  in one of our IO buffers, if the first chunk of the buffer was
+  misaligned by just the wrong amount. The miscalculation would allow an
+  attacker to overflow a piece of heap-allocated memory. To mount this
+  attack, the attacker would need to either open a SOCKS connection to
+  Tor's SocksPort (usually restricted to localhost), or target a Tor
+  instance configured to make its connections through a SOCKS proxy
+  (which Tor does not do by default).
+
+  Good security practice requires that all heap-overflow bugs should be
+  presumed to be exploitable until proven otherwise, so we are treating
+  this as a potential code execution attack. Please upgrade immediately!
+  This bug does not affect bufferevents-based builds of Tor. Special
+  thanks to "Vektor" for reporting this issue to us!
+
+  This release also contains a few minor bugfixes for issues
+  discovered in 0.2.3.9-alpha.
 
+  o Major bugfixes:
+    - Fix a heap overflow bug that could occur when trying to pull
+      data into the first chunk of a buffer, when that chunk had
+      already had some data drained from it. Fixes CVE-2011-2778;
+      bugfix on 0.2.0.16-alpha. Reported by "Vektor".
 
   o Minor bugfixes:
     - If we can't attach streams to a rendezvous circuit when we
@@ -11,8 +36,6 @@ Changes in version 0.2.3.10-alpha - 201?-??-??
       Bugfix on 0.2.3.3-alpha; fixes bug 4655.
     - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
       0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
-
-  o Minor bugfixes:
     - Fix an assertion failure when a relay with accounting enabled
       starts up while dormant.  Fixes bug 4702; bugfix on
       0.2.3.9-alpha.
diff --git a/changes/buffer_bug b/changes/buffer_bug
deleted file mode 100644
index 634f609..0000000
--- a/changes/buffer_bug
+++ /dev/null
@@ -1,7 +0,0 @@
-
-  o Major bugfixes:
-    - Fix a heap overflow bug that could occur when trying to pull
-      data into the first chunk of a buffer, when that chunk had
-      already had some data drained from it. Fixes CVE-2011-2778;
-      bugfix on 0.2.0.16-alpha. Reported by "Vektor".
-

More information about the tor-commits mailing list