tor/changes/trove-2017-011
Nick Mathewson 1880a6a88e Avoid asking for passphrase on junky PEM input
Fixes bug 24246 and TROVE-2017-011.

This bug is so old, it's in Matej's code.  Seems to have been
introduced with e01522bbed.
2017-11-27 15:25:03 -05:00

9 lines
465 B
Plaintext

o Major bugfixes (security):
- Fix a denial of service bug where an attacker could use a malformed
directory object to cause a Tor instance to pause while OpenSSL would
try to read a passphrase from the terminal. (If the terminal was not
available, tor would continue running.) Fixes bug 24246; bugfix on
every version of Tor. Also tracked as TROVE-2017-011 and
CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.