Debian Security Advisory

DSA-2136-1 tor -- buffer overflow

Date Reported:
21 Dec 2010
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2010-1676.
More information:

Willem Pinckaers discovered that Tor, a tool to enable online anonymity, does not correctly handle all data read from the network. By supplying specially crafted packets a remote attacker can cause Tor to overflow its heap, crashing the process. Arbitrary code execution has not been confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of the IP address for the Tor directory authority gabelmoo and addresses a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in version

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version

We recommend that you upgrade your tor packages.