Source: libtorrent-rasterbar Severity: grave Tags: security patch Version: 0.14.10-2 Control: fixed -1 1.0.6-1
Hi, the following vulnerability was published for libtorrent-rasterbar. CVE-2015-5685[0]: | The lazy_bdecode function in BitTorrent DHT bootstrap server | (bootstrap-dht ) allows remote attackers to execute arbitrary code via | a crafted packet, related to "improper indexing." If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-5685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5685 Please adjust the affected versions in the BTS as needed. Note while this CVE was reported against BitTorrent DHT Bootstrapt server, the same vulnerable code is available in libtorrent-rasterbar and the issues ought to be fixed in all stable releases. The experimental version is unaffected as upstream applied the security fix already: https://github.com/arvidn/libtorrent/commit/d9945f6f50a8c967888cd9c2ebe65ffbe462056e seems to be (almost) the same as https://github.com/bittorrent/bootstrap-dht/commit/e809ea80e3527e32c40756eddd8b2ae44bc3af1a Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
