Package: ktorrent
Version: 2.1-1~mdx1
Severity: grave
Tags: patch security
Justification: user security hole
I came across this piece of news:
http://www.heise-security.co.uk/news/86661 which explains very briefly
about two security issues in ktorrent. These have been solved on
ktorrent 2.1.2 as explained on http://ktorrent.org/forum/viewtopic.php?t=1401
I know the frozen version is 2.0.3 which is somewhat "far" from the
fixed version, so I looked into the svn
respository(svn://anonsvn.kde.org/home/kde/trunk/extragear/network/ktorrent)
and found that commit 640661 fixes the bug. I also attach it as patch,
I hope it could apply cleanly to the frozen version.
Thanks.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (800, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20rs
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Versions of packages ktorrent depends on:
ii kdelibs4c2a 4:3.5.6.r1.dfsg.1-2 core libraries and binaries for al
ii libacl1 2.2.42-1 Access control list shared library
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libattr1 1:2.4.32-1.1 Extended attribute shared library
ii libaudio2 1.8-3 The Network Audio System (NAS). (s
ii libavahi-client3 0.6.16-3 Avahi client library
ii libavahi-common3 0.6.16-3 Avahi common library
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgamin0 [libfam0] 0.1.8-1 Client library for the gamin file
ii libgcc1 1:4.1.1-21 GCC support library
ii libgmp3c2 2:4.2.1+dfsg-4 Multiprecision arithmetic library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libqt3-mt 3:3.3.7-3 Qt GUI Library (Threaded runtime v
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-6 X11 client-side library
ii libxcursor1 1.1.7-4 X cursor management library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library
ii libxrender1 1:0.9.1-3 X Rendering Extension client libra
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3-13 compression library - runtime
ktorrent recommends no packages.
-- no debconf information
Index: libktorrent/torrent/torrent.cpp
===================================================================
--- libktorrent/torrent/torrent.cpp (revisión: 640660)
+++ libktorrent/torrent/torrent.cpp (revisión: 640661)
@@ -163,9 +163,15 @@
if (!v || v->data().getType() != Value::STRING)
throw Error(i18n("Corrupted torrent!"));
- path += v->data().toString(encoding);
- if (j + 1 < ln->getNumChildren())
- path += bt::DirSeparator();
+ QString sd = v->data().toString(encoding);
+ // check for weirdness like .. ,
+ // we don't want to write outside the user specified directories
+ if (sd != "..")
+ {
+ path += sd;
+ if (j + 1 < ln->getNumChildren())
+ path += bt::DirSeparator();
+ }
}
// we do not want empty dirs
Index: libktorrent/torrent/chunkcounter.cpp
===================================================================
--- libktorrent/torrent/chunkcounter.cpp (revisión: 640660)
+++ libktorrent/torrent/chunkcounter.cpp (revisión: 640661)
@@ -59,12 +59,13 @@
void ChunkCounter::inc(Uint32 idx)
{
- cnt[idx]++;
+ if (idx < cnt.size())
+ cnt[idx]++;
}
void ChunkCounter::dec(Uint32 idx)
{
- if (cnt[idx] > 0)
+ if (idx < cnt.size() && cnt[idx] > 0)
cnt[idx]--;
}
Index: libktorrent/torrent/peer.cpp
===================================================================
--- libktorrent/torrent/peer.cpp (revisión: 640660)
+++ libktorrent/torrent/peer.cpp (revisión: 640661)
@@ -193,11 +193,21 @@
{
Out() << "len err HAVE" << endl;
kill();
- return;
}
-
- haveChunk(this,ReadUint32(tmp_buf,1));
- pieces.set(ReadUint32(tmp_buf,1),true);
+ else
+ {
+ Uint32 ch = ReadUint32(tmp_buf,1);
+ if (ch < pieces.getNumBits())
+ {
+ haveChunk(this,ch);
+ pieces.set(ch,true);
+ }
+ else
+ {
+ Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl;
+ kill();
+ }
+ }
break;
case BITFIELD:
if (len != 1 + pieces.getNumBytes())
Index: apps/ktorrent/main.cpp
===================================================================
--- apps/ktorrent/main.cpp (revisión: 640660)
+++ apps/ktorrent/main.cpp (revisión: 640661)
@@ -108,6 +108,7 @@
about.addCredit("Dagur Valberg Johannsson",I18N_NOOP("Coldmilk webgui"),"[EMAIL PROTECTED]");
about.addCredit("Alexander Dymo",I18N_NOOP("IDEAl code from KDevelop"),"[EMAIL PROTECTED]");
about.addCredit("Scott Wolchok",I18N_NOOP("Conversion speed improvement in ipfilter plugin"),"[EMAIL PROTECTED]");
+ about.addCredit("Bryan Burns of Juniper Networks",I18N_NOOP("Discovered 2 security vulnerabilities (both are fixed)"),0);
KCmdLineArgs::init(argc, argv, &about);
KCmdLineArgs::addCmdLineOptions(options);
