On 10/19/2016 10:27 PM, grarpamp wrote:
For people using tor...
https://blog.torproject.org/blog/tor-0289-released-important-fixes https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html
Huh? So in OSX, one can no longer "torsocks apt-get install foo"?
On Oct 20, 2016, at 12:55 AM, Mirimir <mirimir@riseup.net> wrote:
On 10/19/2016 10:27 PM, grarpamp wrote: For people using tor...
https://blog.torproject.org/blog/tor-0289-released-important-fixes https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html
Huh? So in OSX, one can no longer "torsocks apt-get install foo"?
You can disable the odious SIP feature in OSX. I don't know why torsocks bothers to check specifically for SIP, I guess it's a better error message than simply failing to write out anywhere but /usr/local/... John
On Oct 20, 2016, at 7:13 AM, John Newman <jnn@synfin.org> wrote:
On Oct 20, 2016, at 12:55 AM, Mirimir <mirimir@riseup.net> wrote:
On 10/19/2016 10:27 PM, grarpamp wrote: For people using tor...
https://blog.torproject.org/blog/tor-0289-released-important-fixes https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html
Huh? So in OSX, one can no longer "torsocks apt-get install foo"?
You can disable the odious SIP feature in OSX. I don't know why torsocks bothers to check specifically for SIP, I guess it's a better error message than simply failing to write out anywhere but /usr/local/...
I misread - torsocks won't even run any SIP protected binary. Presumably this begins to work again when you disable SIP. Horrible "feature" in 10.11/10.12 John
On Thu, Oct 20, 2016 at 12:27:32AM -0400, grarpamp wrote:
For people using tor...
https://blog.torproject.org/blog/tor-0289-released-important-fixes https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html
* Fix memcpy buffer overrun in gethostbyaddr() * Fix memcpy() buffer overrun in gethostbyname() Modifications of these were exploitable at least 20 years ago ;) Probably tor will have hard time showing they are not exploitable, especially when they lack exploit imagination. Did I troll that tor allows remote code execution? (Certainly).
On Oct 20, 2016, at 7:26 AM, Georgi Guninski <guninski@guninski.com> wrote:
On Thu, Oct 20, 2016 at 12:27:32AM -0400, grarpamp wrote: For people using tor...
https://blog.torproject.org/blog/tor-0289-released-important-fixes https://lists.torproject.org/pipermail/tor-dev/2016-October/011579.html
* Fix memcpy buffer overrun in gethostbyaddr() * Fix memcpy() buffer overrun in gethostbyname()
Modifications of these were exploitable at least 20 years ago ;)
Probably tor will have hard time showing they are not exploitable, especially when they lack exploit imagination.
Did I troll that tor allows remote code execution? (Certainly).
That's funny :). On the torsocks change list they just sort of blatantly slipped it in. On the first link they actually seem to speak to it, although I think they underplay implication - "Major features (security fixes, also in 0.2.9.4-alpha): Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001)." John
participants (4)
-
Georgi Guninski
-
grarpamp
-
John Newman
-
Mirimir