[SECURITY] [DSA-2136-1] New tor packages fix potential code execution

ID DEBIAN:DSA-2136-1:0A260
Type debian
Reporter Debian
Modified 2010-12-22T00:24:55


Debian Security Advisory DSA-2136-1 security@debian.org http://www.debian.org/security/ Raphael Geissert December 21, 2010 http://www.debian.org/security/faq

Package : tor Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2010-1676

Willem Pinckaers discovered that Tor, a tool to enable online anonymity, does not correctly handle all data read from the network. By supplying specially crafted packets a remote attacker can cause Tor to overflow its heap, crashing the process. Arbitrary code execution has not been confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of the IP address for the Tor directory authority gabelmoo and addresses a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in version

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version

We recommend that you upgrade your tor packages.

Upgrade instructions

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>