summary: New glibc bug. If you use glibc, install your vendor's patches as they become available. Tor is not an easy target for this attack, but you should upgrade anyway.
Hello, all! There's apparently a new buffer overflow vulnerability in glibc, with a patch out today. If you are running some GNU/linux distribution that uses the GNU C library, then you should upgrade as soon as your distribution has a patch. (And if they don't get a patch for you soon, maybe you should switch to a distribution that fixes security holes promptly.) More info abouve CVE-2015-7547 here: * https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html If I'm reading Tor's code correctly, and if I'm reading the vulnerability description correctly, Tor should not be an easy target here. Tor never uses glibc's resolver to make DNS requests for any attacker-controlled addresses. So in order to mount an attack based on the this vulnerability, I think you'd need to successfully take over one of somebody's configured addresses, first by figuring out what they're resolving, and then either by compromising an appropriate DNS server or running an appropriate DNS cache poisoning attack. Of course, glibc users should upgrade anyway, for a few reasons: * Tor is not the only program you are running; some other program is probably affected. * My analysis could be wrong. * Who knows, your nameserver might be evil or MITM'd. Stay safe out there! -- Nick -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
