Two instances of remotely triggerable assertion failures have been corrected in upstream Tor 0.2.2.39 version ():
o Security fixes:
- Fix an assertion failure in tor_timegm() that could be triggered
by a badly formatted directory object. Bug found by fuzzing with
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
- Do not crash when comparing an address with port value 0 to an
address policy. This bug could have been used to cause a remote
assertion failure by or against directory authorities, or to
allow some applications to crash clients. Fixes bug 6690; bugfix
(compare address with port 0 to address policy case)
These issues affect the versions of the tor package, as shipped with Fedora release of 16 and 17. Please schedule an update.
These issues affect the version of the tor package, as shipped with Fedora EPEL 5. Please schedule an update.
Created tor tracking bugs for this issue
Affects: fedora-all [bug 856989]
Affects: epel-5 [bug 856990]
The compare_tor_addr_to_addr_policy function in or/policies.c in Tor
before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote
attackers to cause a denial of service (assertion failure and daemon
exit) via a zero-valued port field that is not properly handled during
The tor_timegm function in common/util.c in Tor before 0.2.2.39, and
0.2.3.x before 0.2.3.22-rc, does not properly validate time values,
which allows remote attackers to cause a denial of service (assertion
failure and daemon exit) via a malformed directory object, a different
vulnerability than CVE-2012-4419.
tor-0.2.2.39-1800.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
tor-0.2.2.39-1700.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.