Your message dated Sun, 25 Aug 2019 21:22:55 +0000 with message-id <e1i1zyr-0009z2...@fasolo.debian.org> and subject line Bug#932539: fixed in qbittorrent 4.1.7-1 has caused the Debian Bug report #932539, regarding qbittorrent: CVE-2019-13640 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qbittorrent Version: 4.1.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/qbittorrent/qBittorrent/issues/10925 Control: found -1 4.1.5-1 Hi, The following vulnerability was published for qbittorrent. CVE-2019-13640[0]: | In qBittorrent before 4.1.7, the function | Application::runExternalProgram() located in app/application.cpp | allows command injection via shell metacharacters in the torrent name | parameter or current tracker parameter, as demonstrated by remote | command execution via a crafted name within an RSS feed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640 [1] https://github.com/qbittorrent/qBittorrent/issues/10925 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qbittorrent Source-Version: 4.1.7-1 We believe that the bug you reported is fixed in the latest version of qbittorrent, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrew Starr-Bochicchio <a...@debian.org> (supplier of updated qbittorrent package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 25 Aug 2019 16:51:10 -0400 Source: qbittorrent Binary: qbittorrent qbittorrent-dbg qbittorrent-nox Architecture: source amd64 Version: 4.1.7-1 Distribution: unstable Urgency: medium Maintainer: Cristian Greco <crist...@debian.org> Changed-By: Andrew Starr-Bochicchio <a...@debian.org> Description: qbittorrent - bittorrent client based on libtorrent-rasterbar with a Qt5 GUI qbittorrent-dbg - debug symbols for qbittorrent and qbittorrent-nox qbittorrent-nox - bittorrent client based on libtorrent-rasterbar (without X suppor Closes: 932539 933889 Changes: qbittorrent (4.1.7-1) unstable; urgency=medium . * New upstream release (Closes: #933889). - Prevent command injection via "Run external program" function (Closes: #932539, CVE-2019-13640). Checksums-Sha1: 3b8a684d5869033ba9174626d1d98d37b60ab22e 2171 qbittorrent_4.1.7-1.dsc c62da06e4a5f1b1293d0c551f8b8432f1a9c2d71 4465352 qbittorrent_4.1.7.orig.tar.xz 03ec763424f281ae78d46103040ab24188f17420 122224 qbittorrent_4.1.7-1.debian.tar.xz 0a830866e45807c3075b9241a7d344cb763c375d 62045280 qbittorrent-dbg_4.1.7-1_amd64.deb 543500c411b17b5b3022d3719710cb7b76949d70 5075920 qbittorrent-nox_4.1.7-1_amd64.deb f7b6c475c8bae02cf3141e8be6a45053992be4ed 11983 qbittorrent_4.1.7-1_amd64.buildinfo 5860a79fba0b48dc8ea37505bc00f237aa259007 5673324 qbittorrent_4.1.7-1_amd64.deb Checksums-Sha256: 84a326aa2f9d90d48c36301502f5cd8bd2f9a7b631276c7b764d111ac72c8665 2171 qbittorrent_4.1.7-1.dsc 1eef2cf930e167e7e1d2d338bf1efc0a4a38cba1211f909bc9741a7b5ff2b330 4465352 qbittorrent_4.1.7.orig.tar.xz 35d21b715e6ab294be7d46f4480b823d7c6b3b3521c5eb7f9617dd2cafae254a 122224 qbittorrent_4.1.7-1.debian.tar.xz d290747775cea0bc9810bf206fb9caae47bc93b58952fb81032ddb82ebcf16fa 62045280 qbittorrent-dbg_4.1.7-1_amd64.deb 538ad2312967edf0cd8aaa7e841d381cc831e8a9832b3fa42d8e246f5f13023a 5075920 qbittorrent-nox_4.1.7-1_amd64.deb c9b78aab0b931983e71ab1460935e6fe2c4e5e6dc7abb6de55f737801225481d 11983 qbittorrent_4.1.7-1_amd64.buildinfo 7d52e3fa722416e3d108c37ea598e50260d8e53247e9b8ee7036de926e6dc1df 5673324 qbittorrent_4.1.7-1_amd64.deb Files: c2be1ecf970decb7e7eac85212ea1db1 2171 net optional qbittorrent_4.1.7-1.dsc d717e41ee7d0670f402c9c1f8e2c88fc 4465352 net optional qbittorrent_4.1.7.orig.tar.xz 26c307b127fe0d8991dccca0addc0141 122224 net optional qbittorrent_4.1.7-1.debian.tar.xz 7989bd87a9a9aa4600a731838a3c4342 62045280 debug optional qbittorrent-dbg_4.1.7-1_amd64.deb 1f2d044858a2c6e39790ed0026f70f7e 5075920 net optional qbittorrent-nox_4.1.7-1_amd64.deb bb2d39886b620322df7b8d0e63f36656 11983 net optional qbittorrent_4.1.7-1_amd64.buildinfo fe5b89006269f082059f6748445ad4dd 5673324 net optional qbittorrent_4.1.7-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEbrIj19ceZ6U8k6faO1biu9U/3LEFAl1i92wACgkQO1biu9U/ 3LG8uw/9H18ePdzTkrtNebbBOfBVHVoKvXUYfDJ16N6vQeZNx1WKbiEF9QryNf1Z pKTJI6GsFyW8OLCv7/TlAvJl3i3J3q+MVa/EMRwJweP5NjlrAA7OTUkP+GNtvAYi T4IY+vSxE3srHIl4PZESWJ+csjPZiHgqGC7zQXBMgZcwFnct5Zly5kj0OI/flHbb p4MaZddaj3+tvO8M7h+MQrFYA6gcxgSasnlTssWmJI1e/I6WPR2EBmbZSCsc+e3W gnLLcj3MGaHYKaKTtbDPSnwyfuc6wlWhLgCPzAJsPONx8akHYCcUMoT08RBpd7nm 78QE+PU7iR4lfyEyknlfJZomS6Pm/hOk3YF35I/yIMoBDbvS/h1QkK3t1JEJf+GX gj//kV3nCtmQtETyXTkr+f3FMyfBQ+8Z1olbJJWhpspttiqrCrLKsHZkS/h0iLfL hRVC/YdReRCkybdzZ2H6xtEQucItbBh2Ps4hEbbe9rem7RfQkEszJYkYEfU2/1Mq nlw6U5yLDG+NhGvKZn6WalxLMHxLeMGOzVwVDiAXzUXl/Jea+27m3fdLskW8Y5ft zeEPRCQjcB3ZICq8HbPoNbMvyT42IEQKdaKt+qAzHjI4iUifW1EL8RZZZVOxGPd3 GpL0NtUrfLfGepV38Pmu9/KKZhh4SrRmb/lPzx/zxXuhgNCL0KY= =dJ7C -----END PGP SIGNATURE-----
--- End Message ---
