[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Libevent CVE-2014-6272 does not affect Tor



Hi!

There's a security advisory for Libevent here:
   http://archives.seul.org/libevent/users/Jan-2015/msg00010.html
Briefly: there are integer overflows in the evbuffer code, such that
if an application can be tricked into trying add a ridiculously huge
amount of data to an evbuffer in a single chunk, there could be a heap
overflow or infinite loop.  (Most applications using libevent cannot
actually be tricked into doing this.)

Some of you will likely be wondering: "Tor uses Libevent. Does this affect Tor?"

The answer is:  this does not affect Tor.

1. In the way that most people build Tor, the relevant "evbuffer"
feature in Libevent is not used.

2. When Tor is compiled with the (experimental, rarely used)
--enable-bufferevents option, Tor doesn't actually work.  Also, I do
not believe that any of the Tor code for that case has any of the
programming mistakes that would turn the Libevent bug into a
vulnerability.

3. Some of our older pluggable transport code uses Libevent too.  On
an audit, I found that it does not appear to have any of the
programming mistakes that would turn the Libevent bug into a
vulnerability.

So, no worries here on the Tor front, if my analysis is right.

best wishes,
-- 
Nick
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk