We are not the only project that has made the switch. You can see the up-to-date list of our IRC channels on the wiki. Any Tox channel you see on Freenode (or any other network) is not official. All Tox IRC channels have moved to Libera. This allows decrypt_data() to write more data into temp buffer than intended, overflowing the buffer and writing past handle_request() function’s stack frame, smashing the stack.ĭue to the recent takeover of Freenode IRC and Tox IRC channels being hostilely taken over by the new Freenode staff without any prior notice, we have moved our IRC presence to Libera Chat IRC. The 5th argument, length – CRYPTO_SIZE, incorrectly expands to length – 1 + 32 * 2 + 24, when the intention was for it to expand to length – (1 + 32 * 2 + 24). The overflow happens on the following line, a few stack frames inside the decrypt_data() function call, due to the 5th argument of decrypt_data() being incorrectly calculated. The buffer being overflown is temp in the handle_request() function, located at DHT.c:365 in Toxcore 0.2.12. Thanks to sudden6 for finding and fixing the vulnerability, irungentoo for writing a proof-of-concept attack, and iphy and nurupo for analyzing the vulnerability. If you are using the library directly, you can disable UDP via the tox_options_set_udp_enabled() API function call. If you are using a Tox client, look for an option to disable UDP or for a TCP-only mode option. If you are unable to update at the moment, you can immediately mitigate the vulnerability by disabling UDP, as this vulnerability happens only on the UDP code path. We urge everyone to update to Toxcore 0.2.13 as soon as possible. Toxcore 0.2.13 has the vulnerability patched. This attack can also be used to target DHT bootstrap nodes, thus making new users unable to connect to the DHT network. DHT public key, IP and port are all public information, publicly available on the DHT, so an attacker can target any and all Toxcore users by scraping this information from the DHT. An attacker, knowing the target’s DHT public key, IP and port, can easily craft a packet exploiting the vulnerability. The vulnerability was assigned CVE-2021-44847 identifier.Īll users of Toxcore that don’t have UDP disabled are affected. Rest assured, Tox the protocol doesn’t depend on any central servers in order to work, so even if all of our servers were to go down, you would still be able to use Tox.Ī stack-based buffer overflow vulnerability was discovered in Toxcore’s networking code that allows a remote attacker to crash the Toxcore process or potentially execute arbitrary code by sending a specially crafted packet. In the past we have also hosted a package repository for Debian, Ubuntu, CentOS, Fedora and F-Droid, as well as a Jenkins instance for our CI, on DigitalOcean.ĭigitalOcean has renewed our sponsorship for 2022, so we will be using their services in 2022 too. Most of our infrastructure is running on DigitalOcean, including our website, wiki, blog, bootstrap node list, mailing list, some of CI/build system cache, as well as the tox.chat domain - it’s using DigitalOcean as a name server. Just as an example, in 2018 we asked them for a seemingly outrageous $660 in credits as a budget for that year, which they provided us without any questions asked. We would like to thank a cloud hosting company DigitalOcean for sponsoring the Tox project as part of their program for sponsoring open source projects.ĭigitalOcean has been providing us with reliable cloud server infrastructure for free since July 2015 - for over 6 years now! They have been very generous with supporting us and a pleasure to work with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |