Hi, * Nico Golde <n...@debian.org> [2009-06-12 15:07]: > Hi, > * Giuseppe Iuculano <giuse...@iuculano.it> [2009-05-23 17:03]: > [...] > > CVE-2009-1759[0]: > > | Stack-based buffer overflow in the btFiles::BuildFromMI function > > | (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and > > | probably earlier, and CTorrent 1.3.4, allows remote attackers to cause > > | a denial of service (crash) and possibly execute arbitrary code via a > > | Torrent file containing a long path. > > > > If you fix the vulnerability please also make sure to include the > > CVE id in your changelog entry. > > > > For further information see: > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 > > http://security-tracker.debian.net/tracker/CVE-2009-1759 > > Patch: > > http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch > > FWIW, this patch doesn't only fix a buffer overflow but also > a directory traversal vulnerability + it is a patch for > dtorrent.
http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/bencode.h?r1=215&r2=301&view=patch and http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/bencode.cpp?r1=296&r2=301&view=patch are needed as well. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpsH9GyYOQWt.pgp
Description: PGP signature