Bug#931656: libtorrent20: sends private IP address to trackers

[Kevin Locke]

On Mon, 08 Jul 2019 16:01:47 -0600 Kevin Locke  wrote:
> The issue is fixed by a 2-line patch to libtorrent that has been merged,
> but not released: https://github.com/rakshasa/libtorrent/pull/176

Quick update:  This patch is included in 0.13.8.

Cheers,
Kevin

Bug#931656: libtorrent20: sends private IP address to trackers

[Kevin Locke]

Package: libtorrent20
Version: 0.13.7-1
Severity: normal
Tags: patch

Dear Maintainer,

I just upgraded to buster and found that rtorrent now sends my private
IP address to trackers unless manually configured (to send a bogus
address or the public address, via scripting if dynamic).  For details,
see .

Leaking the private IP can be a security and privacy issue which is not
obvious to users, unless trackers report a warning or error (most do
not).

The issue is fixed by a 2-line patch to libtorrent that has been merged,
but not released: https://github.com/rakshasa/libtorrent/pull/176

Is there any chance you would consider applying this patch, ideally in
both sid and stable?

Thanks,
Kevin


-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.1.11 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libtorrent20 depends on:
ii  libc6  2.28-10
ii  libcppunit-1.14-0  1.14.0-3
ii  libgcc11:8.3.0-6
ii  libssl1.1  1.1.1c-1
ii  libstdc++6 8.3.0-6
ii  zlib1g 1:1.2.11.dfsg-1

libtorrent20 recommends no packages.

libtorrent20 suggests no packages.

-- no debconf information