Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 359789 (CVE-2011-1924) - <net-misc/tor- "policy_summarize()" Directory Authority Denial of Service Vulnerability (CVE-2011-1924)
Summary: <net-misc/tor- "policy_summarize()" Directory Authority Denial of Se...
Alias: CVE-2011-1924
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2011-03-21 14:27 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2011-10-18 18:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-21 14:27:21 UTC
A vulnerability has been reported in Tor, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a boundary error within the "policy_summarize()" function in src/or/policies.c, which can be exploited to crash a Tor directory authority.

The vulnerability is reported in versions prior to

Update to version

Provided and/or discovered by
The vendor credits piebeer.

Original Advisory
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-21 14:29:21 UTC
Maintainers, is it OK to stabilize net-misc/tor-

To speed up the process, feel free to CC arches and add the STABLEREQ keyword yourself (and change the status whiteboard from "stable?" to "stable").
Comment 2 Anthony Basile gentoo-dev 2011-03-21 15:38:29 UTC
Yes, it is ready for stabilization.
Comment 3 Anthony Basile gentoo-dev 2011-03-21 15:39:25 UTC
Sorry, still getting used to new bugzilla ... added arches.
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-21 16:48:23 UTC
ppc/ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2011-03-21 17:05:51 UTC
amd64 ok
Comment 6 Andreas Schürch gentoo-dev 2011-03-21 18:18:19 UTC
Looks also good here on x86.
Comment 7 Christoph Mende (RETIRED) gentoo-dev 2011-03-21 20:06:09 UTC
amd64 done, thanks Agostino
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-03-22 12:22:47 UTC
x86 stable. Thanks Andreas.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-04-02 15:42:01 UTC
arm/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-04-02 15:49:52 UTC
Thanks, everyone. GLSA Vote: Yes.
Comment 11 Anthony Basile gentoo-dev 2011-04-02 22:18:30 UTC
Vulnerable versions (tor- and tor- removed from tree.
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-17 20:58:51 UTC
GLSA vote: NO
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-21 11:23:58 UTC
Vote: yes, added to existing GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:08:20 UTC
CVE-2011-1924 (
  Buffer overflow in the policy_summarize function in or/policies.c in Tor
  before allows remote attackers to cause a denial of service
  (directory authority crash) via a crafted policy that triggers creation of a
  long port list.
Comment 15 Alexis Ballier gentoo-dev 2011-07-08 00:05:57 UTC
no clue why bsd is in cc
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-10-18 18:29:14 UTC
This issue was resolved and addressed in
 GLSA 201110-13 at
by GLSA coordinator Tim Sammut (underling).