[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable

Subject: Re: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 08 Jun 2014 03:46:21 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Jun 2014 23:46:33 -0400
In-reply-to: <049.09fa98dd3bd90b53222f5f494c3bbae2@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.09fa98dd3bd90b53222f5f494c3bbae2@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12227: ASan stack-buffer-overflow in prune_v2_cipher_list  -- not exploitable
---------------------------+---------------------------
     Reporter:  starlight  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Tor        |    Version:  Tor: 0.2.4.22
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+---------------------------

Comment (by starlight):

 After spending a day fixing this bug, I have
 to wonder, why is SSLv2 still active in the
 code?

 I gather SSLv2 is usually kept around as a way to
 force older software peers to negotiate to SSLv3
 or TLS.   However Tor OR relays only communicate
 with other OR relays and since SSLv2 has been
 deprecated for so long, why not just disable
 it entirely?

 Or is this bit of code strictly internal and
 exists to underpin the newer protocols?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12227#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Next by Author: [tor-bugs] #12228 [EFF-HTTPS Everywhere]: HTTPS everywhere in Chrome breaks target.com
Previous by thread: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Next by thread: Re: [tor-bugs] #12227 [Tor]: ASan stack-buffer-overflow in prune_v2_cipher_list -- not exploitable
Index(es):
- Author
- Thread