Tor 0.2.3.10-alpha is out (security fix)

by erinn | December 16, 2011

Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered
in 0.2.3.9-alpha.

https://www.torproject.org/download

Changes in version 0.2.3.10-alpha - 2011-12-16

Major bugfixes

  • Fix a heap overflow bug that could occur when trying to pull
    data into the first chunk of a buffer, when that chunk had
    already had some data drained from it. Fixes CVE-2011-2778;
    bugfix on 0.2.0.16-alpha. Reported by "Vektor".

Minor bugfixes

  • If we can't attach streams to a rendezvous circuit when we
    finish connecting to a hidden service, clear the rendezvous
    circuit's stream-isolation state and try to attach streams
    again. Previously, we cleared rendezvous circuits' isolation
    state either too early (if they were freshly built) or not at all
    (if they had been built earlier and were cannibalized). Bugfix on
    0.2.3.3-alpha; fixes bug 4655.
  • Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
    0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
  • Fix an assertion failure when a relay with accounting enabled
    starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.

Minor features

  • Update to the December 6 2011 Maxmind GeoLite Country database.

Comments

Please note that the comment area below has been archived.

December 18, 2011

Permalink

Today, 0.2.3.10-alpha cannot connect:

12月 19 12:10:40.209 [Debug] conn_close_if_marked(): Cleaning up connection (fd -1).
12月 19 12:10:40.231 [Debug] circuit_n_conn_done(): or_conn to RedDragon/38.229.70.51, status=0
12月 19 12:10:40.253 [Info] connection_or_note_state_when_broken(): Connection died in state 'connect()ing with SSL state (No SSL object)'
12月 19 12:10:40.275 [Debug] connection_remove(): removing socket -1 (type OR), n_conns now 7
12月 19 12:10:56.211 [Debug] resolve_my_address(): Guessed local host name as 'linuxgroup'
12月 19 12:10:56.244 [Debug] resolve_my_address(): Resolved Address to '202.200.119.202'.
12月 19 12:10:56.266 [Info] router_pick_published_address(): Success: chose address '202.200.119.202'.
12月 19 12:10:56.288 [Info] update_consensus_router_descriptor_downloads(): 0 router descriptors downloadable. 0 delayed; 2464 present (0 of those were in old_routers); 0 would_reject; 0 wouldnt_use; 0 in progress.
12月 19 12:10:56.312 [Debug] resolve_my_address(): Guessed local host name as 'linuxgroup'
12月 19 12:10:56.334 [Debug] resolve_my_address(): Resolved Address to '202.200.119.202'.
12月 19 12:10:56.357 [Info] router_pick_published_address(): Success: chose address '202.200.119.202'.
12月 19 12:10:56.379 [Debug] resolve_my_address(): Guessed local host name as 'linuxgroup'
12月 19 12:10:56.401 [Debug] resolve_my_address(): Resolved Address to '202.200.119.202'.
12月 19 12:10:56.423 [Info] router_pick_published_address(): Success: chose address '202.200.119.202'.
12月 19 12:10:56.445 [Info] routerlist_remove_old_routers(): We have 2464 live routers and 7800 old router descriptors.
12月 19 12:10:56.467 [Info] update_consensus_networkstatus_downloads(): Launching ns networkstatus consensus download.
12月 19 12:10:56.489 [Debug] resolve_my_address(): Guessed local host name as 'linuxgroup'
12月 19 12:10:56.511 [Debug] resolve_my_address(): Resolved Address to '202.200.119.202'.
12月 19 12:10:56.533 [Info] router_pick_published_address(): Success: chose address '202.200.119.202'.
12月 19 12:10:56.558 [Debug] smartlist_choose_node_by_bandwidth_weights(): Choosing node for rule weight as directory based on weights Wg=0.000000 Wm=1.000000 We=0.000000 Wd=0.134900 with total bw 3327162201.700001
12月 19 12:10:56.581 [Debug] resolve_my_address(): Guessed local host name as 'linuxgroup'
12月 19 12:10:56.603 [Debug] resolve_my_address(): Resolved Address to '202.200.119.202'.
12月 19 12:10:56.625 [Info] router_pick_published_address(): Success: chose address '202.200.119.202'.
12月 19 12:10:56.647 [Debug] directory_initiate_command_rend(): anonymized 0, use_begindir 1.
12月 19 12:10:56.668 [Debug] directory_initiate_command_rend(): Initiating consensus network-status fetch
12月 19 12:10:56.691 [Info] connection_ap_make_link(): Making internal direct tunnel to [scrubbed]:22 ...
12月 19 12:10:56.712 [Debug] connection_add_impl(): new conn type Socks, socket -1, address (Tor_internal), n_conns 7.
12月 19 12:10:56.733 [Debug] onion_pick_cpath_exit(): Launching a one-hop circuit for dir tunnel.
12月 19 12:10:56.755 [Info] onion_pick_cpath_exit(): Using requested exit node '$8F2CCB916A9407CB47EA3FF0B643B762F248B06B~Amunet12 at 199.48.147.46'
12月 19 12:10:56.776 [Debug] onion_extend_cpath(): Path is 0 long; we want 1
12月 19 12:10:56.797 [Debug] onion_extend_cpath(): Chose router $8F2CCB916A9407CB47EA3FF0B643B762F248B06B~Amunet12 at 199.48.147.46 for hop 1 (exit is Amunet12)
12月 19 12:10:56.819 [Debug] onion_extend_cpath(): Path is complete: 1 steps long
12月 19 12:10:56.840 [Debug] circuit_handle_first_hop(): Looking for firsthop '199.48.147.46:22'
12月 19 12:10:56.861 [Info] circuit_handle_first_hop(): Next router is [scrubbed]: Not connected. Connecting.
12月 19 12:10:56.882 [Debug] connection_connect(): Connecting to [scrubbed]:22.
12月 19 12:10:56.904 [Debug] connection_connect(): Connection to [scrubbed]:22 in progress (sock 18).
12月 19 12:10:56.925 [Debug] connection_add_impl(): new conn type OR, socket 18, address 199.48.147.46, n_conns 8.
12月 19 12:10:56.946 [Debug] circuit_handle_first_hop(): connecting in progress (or finished). Good.
12月 19 12:10:56.967 [Info] connection_ap_make_link(): ... application connection created and linked.
12月 19 12:10:56.988 [Debug] connection_add_impl(): new conn type Directory, socket -1, address 199.48.147.46, n_conns 9.
12月 19 12:10:57.011 [Info] directory_send_command(): Downloading consensus from 199.48.147.46:22 using /tor/status-vote/current/consensus/14C131+27B6B5+49015F+585769+805509+D586D1+E8A9C4+ED03BB.z
12月 19 12:10:57.032 [Debug] circuit_get_open_circ_or_launch(): one on the way!
12月 19 12:10:57.054 [Debug] conn_read_callback(): socket -1 wants to read.
12月 19 12:10:57.076 [Info] connection_edge_process_inbuf(): data from edge while in 'waiting for circuit' state. Leaving it on buffer.
12月 19 12:10:57.097 [Info] connection_edge_process_inbuf(): data from edge while in 'waiting for circuit' state. Leaving it on buffer.
12月 19 12:10:57.119 [Debug] connection_dir_finished_flushing(): client finished sending command.
12月 19 12:10:57.140 [Debug] conn_write_callback(): socket 18 wants to write.
12月 19 12:10:57.161 [Debug] connection_or_finished_connecting(): OR connect() to router at 199.48.147.46:22 finished.
12月 19 12:10:57.182 [Debug] connection_tls_start_handshake(): starting TLS handshake on fd 18
12月 19 12:10:57.205 [Debug] tor_tls_handshake(): About to call SSL_connect on 0xb9d9a4d8 (Unknown state 24576)
12月 19 12:10:57.227 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state Unknown state 20480 [type=16,val=1].
12月 19 12:10:57.248 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state Unknown state 20480 [type=4097,val=1].
12月 19 12:10:57.270 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state SSL23_ST_CW_CLNT_HELLO_A [type=4097,val=1].
12月 19 12:10:57.291 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state SSL23_ST_CR_SRVR_HELLO_A [type=4098,val=-1].
12月 19 12:10:57.312 [Debug] tor_tls_handshake(): After call, 0xb9d9a4d8 was in state SSL23_ST_CR_SRVR_HELLO_A
12月 19 12:10:57.334 [Debug] connection_tls_continue_handshake(): wanted read
12月 19 12:10:57.355 [Debug] tor_tls_handshake(): About to call SSL_connect on 0xb9d9a4d8 (SSL23_ST_CR_SRVR_HELLO_A)
12月 19 12:10:57.376 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state SSL23_ST_CR_SRVR_HELLO_A [type=4098,val=-1].
12月 19 12:10:57.397 [Debug] connection_tls_continue_handshake(): wanted read
12月 19 12:10:57.419 [Debug] conn_read_callback(): socket 18 wants to read.
12月 19 12:10:57.440 [Debug] tor_tls_handshake(): About to call SSL_connect on 0xb9d9a4d8 (SSL23_ST_CR_SRVR_HELLO_A)
12月 19 12:10:57.461 [Debug] tor_tls_debug_state_callback(): SSL 0xb96d9968 is now in state SSL23_ST_CR_SRVR_HELLO_A [type=4098,val=-1].
12月 19 12:10:57.482 [Info] TLS error: (errno=104: Connection reset by peer; state=SSL23_ST_CR_SRVR_HELLO_A)
12月 19 12:10:57.504 [Info] connection_tls_continue_handshake(): tls error [connection reset]. breaking connection.
12月 19 12:10:57.526 [Debug] conn_close_if_marked(): Cleaning up connection (fd -1).
12月 19 12:10:57.547 [Debug] circuit_n_conn_done(): or_conn to Amunet12/199.48.147.46, status=0
12月 19 12:10:57.569 [Info] circuit_n_conn_done(): or_conn failed. Closing circ.
12月 19 12:10:57.590 [Info] circuit_build_failed(): Our circuit died before the first hop with no connection
12月 19 12:10:57.618 [Info] connection_ap_fail_onehop(): Closing one-hop stream to '$8F2CCB916A9407CB47EA3FF0B643B762F248B06B/199.48.147.46' because the OR conn just failed.
12月 19 12:10:57.639 [Debug] circuit_increment_failure_count(): n_circuit_failures now 1.
12月 19 12:10:57.660 [Info] connection_or_note_state_when_broken(): Connection died in state 'handshaking (TLS) with SSL state SSL23_ST_CR_SRVR_HELLO_A in HANDSHAKE'
12月 19 12:10:57.682 [Warning] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (DONE; DONE; count 190; recommendation warn)
12月 19 12:10:57.704 [Warning] 190 connections have failed:
12月 19 12:10:57.725 [Warning] 108 connections died in state connect()ing with SSL state (No SSL object)
12月 19 12:10:57.746 [Warning] 80 connections died in state handshaking (TLS) with SSL state SSL23_ST_CR_SRVR_HELLO_A in HANDSHAKE
12月 19 12:10:57.769 [Warning] 2 connections died in state handshaking (TLS) with SSL state SSL23_ST_CW_CLNT_HELLO_B in HANDSHAKE

December 21, 2011

Permalink

We have just managed to get our first Chinese user over that horrible firewall, using the 0.2.3.10-alpha.

We used a private bridge that is not updated in the bridge list directory.

We are over the moon to have achieved this.
This either means that the handshake was not detected by the Chinese firewall, or that it was temporarily down. We are not sure yet.

We just need some way to get this into the wider Chinese community.

We are over the moon though so far

T-H-A-N-K Y-O-U Tor community.

0.2.3.10-alpha did not contain any changes that would bypass GFW detection.

I think that GFW simply stopped blocking Tor traffic since a few weeks ago. They will probably start blocking again soon and people are working on bypassing GFW detection (see https://trac.torproject.org/projects/tor/ticket/4185 and https://trac.torproject.org/projects/tor/ticket/4744).