Bug#432007: marked as done (CVE-2007-1799: vulnerability in torrent.cpp)

Tue, 02 Oct 2007 13:02:55 -0700 

Your message dated Tue, 02 Oct 2007 19:56:20 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#432007: fixed in ktorrent 2.0.3+dfsg1-2etch1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: ktorrent
Severity: important
Tags: security, patch


Hi mate

Your package is vulnerable in testing and unstable.

The CVE says:

Directory traversal vulnerability in torrent.cpp in KTorrent
before 2.1.3 only checks for the ".." string, which allows
remote attackers to overwrite arbitrary files via modified
".." sequences in a torrent filename, as demonstrated by "../"
sequences.


The patch for the current version is below.

Cheers
Steffen

--- ../../../../old/ktorrent-2.2.0.dfsg.1/libktorrent/torrent/torrent.cpp       
2007-07-02 18:48:47.000000000 +0200
+++ torrent.cpp 2007-07-06 17:07:49.000000000 +0200
@@ -165,9 +165,14 @@
                                        throw Error(i18n("Corrupted torrent!"));

                                QString sd = v->data().toString(encoding);
+                               // check for weirdness like .. and / ,
+                               // we don't want to write outside the user 
specified directories
+                               if (!sd.contains("/") && !sd.contains(".."))
+                               {
                                path += sd;
                                if (j + 1 < ln->getNumChildren())
                                        path += bt::DirSeparator();
+                               }
                        }

                        // we do not want empty dirs

--- End Message ---
--- Begin Message --- 
Source: ktorrent
Source-Version: 2.0.3+dfsg1-2etch1

We believe that the bug you reported is fixed in the latest version of
ktorrent, which is due to be installed in the Debian FTP archive:

ktorrent_2.0.3+dfsg1-2etch1.diff.gz
  to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2etch1.diff.gz
ktorrent_2.0.3+dfsg1-2etch1.dsc
  to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2etch1.dsc
ktorrent_2.0.3+dfsg1-2etch1_amd64.deb
  to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Modestas Vainius <[EMAIL PROTECTED]> (supplier of updated ktorrent package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 24 Jul 2007 16:43:47 +0300
Source: ktorrent
Binary: ktorrent
Architecture: source amd64
Version: 2.0.3+dfsg1-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Joel Johnson <[EMAIL PROTECTED]>
Changed-By: Modestas Vainius <[EMAIL PROTECTED]>
Description: 
 ktorrent   - BitTorrent client for KDE
Closes: 425043 432007
Changes: 
 ktorrent (2.0.3+dfsg1-2etch1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * [CVE-2007-1799] Complete fix for directory traversal vulnerability. The
     patch is based on upstream svn commit #651343 (Closes: #432007).
   * Fix frequent DHT related crashes. The crashes are caused by other
     bittorent clients sending specially formed DHT packets (hence remotely
     exploitable). See KDE bug #144416. The patch is based on upstream svn
     commits #655895 and #656421 (Closes: #425043).
Files: 
 ec1366a6819ce30b5891b7c4e0e51986 663 kde optional 
ktorrent_2.0.3+dfsg1-2etch1.dsc
 3aef60283e457b7e13c1719387251612 2183095 kde optional 
ktorrent_2.0.3+dfsg1.orig.tar.gz
 09ef4b627881d0aa29f682dbcf860ae7 12570 kde optional 
ktorrent_2.0.3+dfsg1-2etch1.diff.gz
 dea2c2add2b28f51c37838104cbacab6 1587096 kde optional 
ktorrent_2.0.3+dfsg1-2etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGtR6GwM/Gs81MDZ0RAhXhAJ4+/iaxA/tNerFj0FMDD/YZ0XEYtQCfbAkK
Sz7vq6dRL8SC/H03R2Lts4Y=
=YxPz
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to