[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Another openssl advisory: Tor seems not to be affected



Hi, all!

It looks like there is an openssl security advisory affecting some but
not all of the ASN.1 parsing code. The announcement is here:

http://openssl.org/news/secadv_20120419.txt

And the full-disclosure posting is here:

http://seclists.org/fulldisclosure/2012/Apr/210

It looks like there is an openssl security advisory affecting some but
not all of the ASN.1 parsing code.  In short, the d2i_*_bio functions
and the d2i_*_fp functions are vulnerable to hostile input, but the
regular in-memory d2i_* functions, and the PEM_* functions, are not.
Tor only calls the safe d2i_* functions and the safe PEM_* functions,
and (as near as I can tell) doesn't call any part of OpenSSL that
calls an unsafe function.

So it appears that Tor is not affected by this.  (I invite everybody
to check my work here, of course.)

So if you saw the original announcment and were wondering, "Do I need
to upgrade my Tor's OpenSSL right now?" then the answer is "probably
not."  If you've got other programs that use OpenSSL, though, an
upgrade could be in order: with any luck, your operating system (or
the programs themselves) will handle that for you, if they've got a
decent security update system.

Just to be sure, future versions of the Tor packages we build ought to
ship with OpenSSL 1.0.1a or later.

yrs,
-- 
Nick
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk