Clarify new intended strategy with TROVE-2021-001

We're going to disable this feature in all versions for now.

diff --git a/changes/ticket40286_minimal b/changes/ticket40286_minimal
index b8669debaa4938b472e4287c67ca3fac29cc5cae..6a04ca79eba1ff8e591a99e7df6324596d939ed3 100644 (file)
--- a/changes/ticket40286_minimal
+++ b/changes/ticket40286_minimal
@@ -1,5 +1,6 @@
-  o Major bugfixes (denial of service):
+  o Major bugfixes (security, denial of service):
     - Disable the dump_desc() function that we used to dump unparseable
       information to disk. It was called incorrectly in several places,
-      in a way that could lead to excessive CPU usage.
-      Fixes bug 40286; bugfix on 0.2.2.1-alpha.
+      in a way that could lead to excessive CPU usage.  Fixes bug 40286;
+      bugfix on 0.2.2.1-alpha. This bug is also tracked as
+      TROVE-2021-001 and CVE-2021-28089.

diff --git a/src/feature/dirparse/unparseable.c b/src/feature/dirparse/unparseable.c
index a547335452a09e0e9d2a0f13670b7e95bb48882b..1d623fe7018e030a2ae8c0f8b24aa202ea8bcb3c 100644 (file)
--- a/src/feature/dirparse/unparseable.c
+++ b/src/feature/dirparse/unparseable.c
@@ -493,8 +493,11 @@ dump_desc,(const char *desc, const char *type))
   tor_assert(desc);
   tor_assert(type);
 #ifndef TOR_UNIT_TESTS
-  /* On older versions of Tor we are disabling this function, since it
-   * can be called with strings that are far too long. */
+  /* For now, we are disabling this function, since it can be called with
+   * strings that are far too long.  We can turn it back on if we fix it
+   * someday, but we'd need to give it a length argument. A likelier
+   * resolution here is simply to remove this module entirely.  See tor#40286
+   * for background. */
   if (1)
     return;
 #endif