Yes, Tor should indeed not be relied upon for 100% anonymity, but then again, pretty much anything shouldn't. I2P and freenet etc, all state the same.
FreeNet is probably the most anonymous of them (but also the slowest, downloading a text file takes about the time of downloading a movie on a normal connection
), but don't quote me on that.
With any one having the ability to run tor proxies and help out their project, it would be trivial to someone serious about SIGINT to run tons of these servers, and combine all the information, and get the real source of a packet 50% of the time or more, or run traffic analysis etc...
In other words, it will protect you from your IP showing up in the casual log files, but it won't protect you if someone is really after you.
I think the vulnerability you're referring to, f0dder, is a method of finding the source of a TOR anonymous server. (which is different from it's typical client usage). And this method is probably feasible for some individual with lots of persistence, without the need of massive resources. I don't know if that one has been patched yet or not, but if it was, it doesn't really matter. I'm sure other holes will pop up eventually, as is the nature of the cat and mouse game in this business.