Package: ktorrent Version: 2.1-1~mdx1 Severity: grave Tags: patch security Justification: user security hole
I came across this piece of news: http://www.heise-security.co.uk/news/86661 which explains very briefly about two security issues in ktorrent. These have been solved on ktorrent 2.1.2 as explained on http://ktorrent.org/forum/viewtopic.php?t=1401 I know the frozen version is 2.0.3 which is somewhat "far" from the fixed version, so I looked into the svn respository(svn://anonsvn.kde.org/home/kde/trunk/extragear/network/ktorrent) and found that commit 640661 fixes the bug. I also attach it as patch, I hope it could apply cleanly to the frozen version. Thanks. -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (800, 'unstable'), (500, 'testing'), (100, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.20rs Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Versions of packages ktorrent depends on: ii kdelibs4c2a 4:3.5.6.r1.dfsg.1-2 core libraries and binaries for al ii libacl1 2.2.42-1 Access control list shared library ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libattr1 1:2.4.32-1.1 Extended attribute shared library ii libaudio2 1.8-3 The Network Audio System (NAS). (s ii libavahi-client3 0.6.16-3 Avahi client library ii libavahi-common3 0.6.16-3 Avahi common library ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib ii libgamin0 [libfam0] 0.1.8-1 Client library for the gamin file ii libgcc1 1:4.1.1-21 GCC support library ii libgmp3c2 2:4.2.1+dfsg-4 Multiprecision arithmetic library ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libidn11 0.6.5-1 GNU libidn library, implementation ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi ii libpng12-0 1.2.15~beta5-1 PNG library - runtime ii libqt3-mt 3:3.3.7-3 Qt GUI Library (Threaded runtime v ii libsm6 1:1.0.1-3 X11 Session Management library ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-6 X11 client-side library ii libxcursor1 1.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxi6 1:1.0.1-4 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii zlib1g 1:1.2.3-13 compression library - runtime ktorrent recommends no packages. -- no debconf information
Index: libktorrent/torrent/torrent.cpp =================================================================== --- libktorrent/torrent/torrent.cpp (revisión: 640660) +++ libktorrent/torrent/torrent.cpp (revisión: 640661) @@ -163,9 +163,15 @@ if (!v || v->data().getType() != Value::STRING) throw Error(i18n("Corrupted torrent!")); - path += v->data().toString(encoding); - if (j + 1 < ln->getNumChildren()) - path += bt::DirSeparator(); + QString sd = v->data().toString(encoding); + // check for weirdness like .. , + // we don't want to write outside the user specified directories + if (sd != "..") + { + path += sd; + if (j + 1 < ln->getNumChildren()) + path += bt::DirSeparator(); + } } // we do not want empty dirs Index: libktorrent/torrent/chunkcounter.cpp =================================================================== --- libktorrent/torrent/chunkcounter.cpp (revisión: 640660) +++ libktorrent/torrent/chunkcounter.cpp (revisión: 640661) @@ -59,12 +59,13 @@ void ChunkCounter::inc(Uint32 idx) { - cnt[idx]++; + if (idx < cnt.size()) + cnt[idx]++; } void ChunkCounter::dec(Uint32 idx) { - if (cnt[idx] > 0) + if (idx < cnt.size() && cnt[idx] > 0) cnt[idx]--; } Index: libktorrent/torrent/peer.cpp =================================================================== --- libktorrent/torrent/peer.cpp (revisión: 640660) +++ libktorrent/torrent/peer.cpp (revisión: 640661) @@ -193,11 +193,21 @@ { Out() << "len err HAVE" << endl; kill(); - return; } - - haveChunk(this,ReadUint32(tmp_buf,1)); - pieces.set(ReadUint32(tmp_buf,1),true); + else + { + Uint32 ch = ReadUint32(tmp_buf,1); + if (ch < pieces.getNumBits()) + { + haveChunk(this,ch); + pieces.set(ch,true); + } + else + { + Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl; + kill(); + } + } break; case BITFIELD: if (len != 1 + pieces.getNumBytes()) Index: apps/ktorrent/main.cpp =================================================================== --- apps/ktorrent/main.cpp (revisión: 640660) +++ apps/ktorrent/main.cpp (revisión: 640661) @@ -108,6 +108,7 @@ about.addCredit("Dagur Valberg Johannsson",I18N_NOOP("Coldmilk webgui"),"[EMAIL PROTECTED]"); about.addCredit("Alexander Dymo",I18N_NOOP("IDEAl code from KDevelop"),"[EMAIL PROTECTED]"); about.addCredit("Scott Wolchok",I18N_NOOP("Conversion speed improvement in ipfilter plugin"),"[EMAIL PROTECTED]"); + about.addCredit("Bryan Burns of Juniper Networks",I18N_NOOP("Discovered 2 security vulnerabilities (both are fixed)"),0); KCmdLineArgs::init(argc, argv, &about); KCmdLineArgs::addCmdLineOptions(options);