CVE-2016-1254

Vulnerability

A parsing flaw exists in Tor versions prior to 0.2.8.12 (bug 21018, introduced in 0.2.0.8-alpha). When a client attempts to fetch a hidden service descriptor, a specially crafted descriptor can trigger an off-by-one read past the end of an allocated memory region [1]. This vulnerability is present in the descriptor parsing code and affects all clients running an affected version [1].

Exploitation

An attacker who operates a malicious hidden service can craft a descriptor that exploits the parsing bug. When a Tor client (version 0.2.0.8-alpha through 0.2.8.11) attempts to visit that hidden service, the crafted descriptor is processed by the client, causing the out-of-bounds read [1]. No special network position or authentication is required beyond the ability to publish a hidden service descriptor.

Impact

Successful exploitation causes a denial of service: the Tor client crashes [1]. For builds configured with --enable-expensive-hardening, the crash is reliably triggered [1]. Non-hardened clients may crash depending on their platform's memory allocator behavior [1]. The impact is limited to client availability; no code execution or information disclosure is indicated in the available references.

Mitigation

Upgrade to Tor 0.2.8.12 or later, released on 2016-12-19 [1]. Users on the 0.2.9 branch should upgrade to 0.2.9.8 which contains the same fix [1]. Fedora package updates were also made available [2][3]. No workaround is documented; upgrading is the recommended action.