On Oct 20, 2016, at 7:26 AM, Georgi Guninski <guninski@guninski.com> wrote:

On Thu, Oct 20, 2016 at 12:27:32AM -0400, grarpamp wrote:
For people using tor...

https://blog.torproject.org/blog/tor-0289-released-important-fixes
https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html

* Fix memcpy buffer overrun in gethostbyaddr()
* Fix memcpy() buffer overrun in gethostbyname()

Modifications of these were exploitable at least 20 years ago ;)

Probably tor will have hard time showing they are not exploitable,
especially when they lack exploit imagination.

Did I troll that tor allows remote code execution? (Certainly).

That's funny :). On the torsocks change list they just sort of blatantly slipped it in.

On the first link they actually seem to speak to it, although I think they underplay implication -

"Major features (security fixes, also in 0.2.9.4-alpha):

Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001)."

John