Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 12 Sep 2012 19:23:48 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: tor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 01:40 PM, Nico Golde wrote:
> Hi, * Kurt Seifried <kseifried@...hat.com> [2012-09-12 19:01]:
>> On 09/12/2012 06:34 AM, Nico Golde wrote:
>>> Hi, from the tor release notes[0]: Changes in version 0.2.2.39
>>> - 2012-09-11 Tor 0.2.2.39 fixes two more opportunities for
>>> remotely triggerable assertions.
>>> 
>>> o Security fixes: - Fix an assertion failure in tor_timegm()
>>> that could be triggered by a badly formatted directory object.
>>> Bug found by fuzzing with Radamsa. Fixes bug 6811; bugfix on
>>> 0.2.0.20-rc. - Do not crash when comparing an address with port
>>> value 0 to an address policy. This bug could have been used to
>>> cause a remote assertion failure by or against directory
>>> authorities, or to allow some applications to crash clients.
>>> Fixes bug 6690; bugfix on 0.2.1.10-alpha.
>>> 
>>> I have not seen CVE ids for these issues. Can you assign ids
>>> for them?
>>> 
>>> [0] 
>>> https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes
>>
>>
>>> 
Can you attach links to the code commits? thanks
> 
> I didn't have them when I sent this mail. Should be: 
> https://gitweb.torproject.org/tor.git/commitdiff/973c18bf0e84d14d8006a9ae97fde7f7fb97e404
>
> 
https://gitweb.torproject.org/tor.git/commitdiff/62d96284f7e0f81c40d5df7e53dd7b4dfe7e56a5
> 
> Cheers Nico

Thanks for the links. Please use CVE-2012-4419 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUTWkAAoJEBYNRVNeJnmT+QUP/RHczOGvPLxgw8PvzX+vihwQ
UbtlYK+STddooFRpJUTUDjawjaY/KBKzMt1tus6vQrREZb0g9HDDQVtzgEz2fzXy
KTko9atXNGiJZCJ8Q3UrtElL23QhzZco1+76pZso4jSVIOWLR2UWxFUmf7b1obVV
OC51cxm8fTkHXYrvACYbmQGcO9tKOkHimJle4O3Kr7togiRVdqSIDotVJy/7PZ8P
+PeHRbA7E7Cu/atiDyfY25KvaLZtSL0H/9SwcYUxKQfI83eVqtyciU+7Yr5z8leT
Lc7EmUmr7jCUEEhh/sP/8bX2iTEQiHyXDWFkFTddgyJpvTHcJOM2tYWTOrg3gR0K
AD/R05vM2l9OLhFoGIbBPCk41ZtXa/zZTkAneFhhPQnmjjT/Qudw1h3YWO877O0C
bNAq2r3b+/Hixs9DnK4CeMpuOWqQPkF7Bl6mODSlKz0MadR4rJsofawJ+nG8pnAP
Wm9XautufJsDwjhKq9uOjM3E/r/KXLepm3Vr9ERhlU9unEDgrzTd0ycqU68jzFYV
vtYB15eN7GOwfMh4YAFq8n+PZxk7fpeiKl3Hk+Q+IAYCYXEEkS+jDoUKyr2IV+J4
JQeMEisOekJ/XT9gbkcewNN69oszO4WolQXXEX3S5wNMbFZ5Fbx4teuXRU1t7HSs
L0f2zHBJpw1Zt86rpLj1
=6GNC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.