Bug#964868: marked as done (buster--pu: package transmission/2.94-2+deb10u1)

[Debian Bug Tracking System]

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964868,
regarding buster--pu: package transmission/2.94-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964868
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Fixes a security issue in Transmission, which doesn't warrant a DSA,
but still good to fix in stable. I've tested the update extensively
(I had prepared the update for 10.4, but it fell through the cracks)

Debdiff attached.

Cheers,
        Moritz

diff -Nru transmission-2.94/debian/changelog transmission-2.94/debian/changelog
--- transmission-2.94/debian/changelog  2019-01-01 00:07:49.000000000 +0100
+++ transmission-2.94/debian/changelog  2020-05-29 00:05:53.000000000 +0200
@@ -1,3 +1,9 @@
+transmission (2.94-2+deb10u1) buster; urgency=medium
+
+  * CVE-2018-10756 (Closes: #961461)
+
+ -- Moritz Muehlenhoff <j...@debian.org>  Fri, 29 May 2020 00:05:53 +0200
+
 transmission (2.94-2) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru transmission-2.94/debian/patches/CVE-2018-10756.patch 
transmission-2.94/debian/patches/CVE-2018-10756.patch
--- transmission-2.94/debian/patches/CVE-2018-10756.patch       1970-01-01 
01:00:00.000000000 +0100
+++ transmission-2.94/debian/patches/CVE-2018-10756.patch       2020-05-29 
00:05:53.000000000 +0200
@@ -0,0 +1,66 @@
+Backport to 2.94 of 
+
+From 2123adf8e5e1c2b48791f9d22fc8c747e974180e Mon Sep 17 00:00:00 2001
+From: Mike Gelfand <mike...@mikedld.com>
+Date: Sun, 28 Apr 2019 11:27:33 +0300
+Subject: [PATCH] CVE-2018-10756: Fix heap-use-after-free in tr_variantWalk
+
+In libtransmission/variant.c, function tr_variantWalk, when the variant
+stack is reallocated, a pointer to the previously allocated memory
+region is kept. This address is later accessed (heap use-after-free)
+while walking back down the stack, causing the application to crash.
+The application can be any application which uses libtransmission, such
+as transmission-daemon, transmission-gtk, transmission-show, etc.
+
+Reported-by: Tom Richards <t...@tomrichards.net>
+
+--- transmission-2.94.orig/libtransmission/variant.c
++++ transmission-2.94/libtransmission/variant.c
+@@ -820,7 +820,7 @@ compareKeyIndex (const void * va, const
+ struct SaveNode
+ {
+   const tr_variant * v;
+-  tr_variant sorted;
++  tr_variant* sorted;
+   size_t childIndex;
+   bool isVisited;
+ };
+@@ -849,26 +849,31 @@ nodeConstruct (struct SaveNode   * node,
+ 
+       qsort (tmp, n, sizeof (struct KeyIndex), compareKeyIndex);
+ 
+-      tr_variantInitDict (&node->sorted, n);
++      node->sorted = tr_new(tr_variant, 1);
++      tr_variantInitDict(node->sorted, n);
++
+       for (i=0; i<n; ++i)
+-        node->sorted.val.l.vals[i] = *tmp[i].val;
+-      node->sorted.val.l.count = n;
++        node->sorted->val.l.vals[i] = *tmp[i].val;
++      node->sorted->val.l.count = n;
+ 
+       tr_free (tmp);
+ 
+-      node->v = &node->sorted;
++      v = node->sorted;
++
+     }
+   else
+     {
+-      node->v = v;
++      node->sorted = NULL;
+     }
++
++  node->v = v;
+ }
+ 
+ static void
+ nodeDestruct (struct SaveNode * node)
+ {
+-  if (node->v == &node->sorted)
+-    tr_free (node->sorted.val.l.vals);
++  if (node->v == node->sorted)
++    tr_free (node->sorted->val.l.vals);
+ }
+ 
+ /**
diff -Nru transmission-2.94/debian/patches/series 
transmission-2.94/debian/patches/series
--- transmission-2.94/debian/patches/series     2019-01-01 00:07:49.000000000 
+0100
+++ transmission-2.94/debian/patches/series     2020-05-29 00:05:53.000000000 
+0200
@@ -4,3 +4,4 @@
 transmission-daemon_execstop_service.patch
 ayatana-indicators.patch
 patch-vendored-libdht.patch
+CVE-2018-10756.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---