Re: [CVE pending] security patch for net/transmission
Assigned CVE-2018-5702, and merged into upstream's HEAD for deployment as a milestone in their upcoming release 2.93.
Re: [CVE pending] security patch for net/transmission
On Mon, Jan 15, 2018 at 02:45:59PM +, Stuart Henderson wrote: > Unless you know it's safe not to, it's probably best to bump all > subpackages (or just remove REVISION-main and set REVISION=7). Thanks for the suggestion! A "v3" patch set is attached. > Does this need more testing or are you happy with it now? I haven't had much time to test. I would like at least a second person's review before considering this to be commit-ready. Index: Makefile === RCS file: /systems/cvs/ports/net/transmission/Makefile,v retrieving revision 1.122 diff -u -p -r1.122 Makefile --- Makefile12 Jan 2018 16:09:42 - 1.122 +++ Makefile15 Jan 2018 14:51:48 - @@ -9,8 +9,7 @@ DISTNAME= transmission-${VER} PKGNAME-main= transmission-${VER} PKGNAME-gtk= transmission-gtk-${VER} PKGNAME-qt=transmission-qt-${VER} -REVISION= 5 -REVISION-main= 6 +REVISION= 7 CATEGORIES=net HOMEPAGE= http://www.transmissionbt.com/ MAINTAINER=Josh GrosseIndex: patches/patch-libtransmission_quark_c === RCS file: patches/patch-libtransmission_quark_c diff -N patches/patch-libtransmission_quark_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_c 13 Jan 2018 00:58:51 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.c +--- libtransmission/quark.c.orig libtransmission/quark.c +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, Index: patches/patch-libtransmission_quark_h === RCS file: patches/patch-libtransmission_quark_h diff -N patches/patch-libtransmission_quark_h --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_h 13 Jan 2018 00:58:51 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.h +--- libtransmission/quark.h.orig libtransmission/quark.h +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, Index: patches/patch-libtransmission_rpc-server_c === RCS file: patches/patch-libtransmission_rpc-server_c diff -N patches/patch-libtransmission_rpc-server_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_rpc-server_c 13 Jan 2018 00:58:51 - @@ -0,0 +1,203 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/rpc-server.c +--- libtransmission/rpc-server.c.orig libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++bool isHostWhitelistEnabled; + tr_portport; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++/* If password auth is enabled, any hostname is permitted. */ ++if (server->isPasswordEnabled) ++{ ++return true; ++} ++ ++char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++// If whitelist is disabled, no restrictions. ++if (!server->isHostWhitelistEnabled) ++return true; ++ ++/* No host header, invalid request. */ ++if (host == NULL) ++{ ++return false; ++} ++ ++/* Host header might include the port. */ ++char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++/* localhost or ipaddress is always acceptable. */ ++if (strcmp(hostname, "localhost") == 0 ||
Re: [CVE pending] security patch for net/transmission
On 2018/01/15 09:08, Josh Grosse wrote: > Revised to eliminate conflict with Makefile 1.122, revised > after the patch had been built. > Index: Makefile > === > RCS file: /systems/cvs/ports/net/transmission/Makefile,v > retrieving revision 1.122 > diff -u -p -r1.122 Makefile > --- Makefile 12 Jan 2018 16:09:42 - 1.122 > +++ Makefile 15 Jan 2018 14:03:29 - > @@ -10,7 +10,7 @@ PKGNAME-main= transmission-${VER} > PKGNAME-gtk= transmission-gtk-${VER} > PKGNAME-qt= transmission-qt-${VER} > REVISION=5 > -REVISION-main= 6 > +REVISION-main= 7 Unless you know it's safe not to, it's probably best to bump all subpackages (or just remove REVISION-main and set REVISION=7). Does this need more testing or are you happy with it now?
Re: [CVE pending] security patch for net/transmission
Revised to eliminate conflict with Makefile 1.122, revised after the patch had been built. Index: Makefile === RCS file: /systems/cvs/ports/net/transmission/Makefile,v retrieving revision 1.122 diff -u -p -r1.122 Makefile --- Makefile12 Jan 2018 16:09:42 - 1.122 +++ Makefile15 Jan 2018 14:03:29 - @@ -10,7 +10,7 @@ PKGNAME-main= transmission-${VER} PKGNAME-gtk= transmission-gtk-${VER} PKGNAME-qt=transmission-qt-${VER} REVISION= 5 -REVISION-main= 6 +REVISION-main= 7 CATEGORIES=net HOMEPAGE= http://www.transmissionbt.com/ MAINTAINER=Josh GrosseIndex: patches/patch-libtransmission_quark_c === RCS file: patches/patch-libtransmission_quark_c diff -N patches/patch-libtransmission_quark_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_c 13 Jan 2018 00:58:51 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.c +--- libtransmission/quark.c.orig libtransmission/quark.c +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, Index: patches/patch-libtransmission_quark_h === RCS file: patches/patch-libtransmission_quark_h diff -N patches/patch-libtransmission_quark_h --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_h 13 Jan 2018 00:58:51 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.h +--- libtransmission/quark.h.orig libtransmission/quark.h +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, Index: patches/patch-libtransmission_rpc-server_c === RCS file: patches/patch-libtransmission_rpc-server_c diff -N patches/patch-libtransmission_rpc-server_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_rpc-server_c 13 Jan 2018 00:58:51 - @@ -0,0 +1,203 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/rpc-server.c +--- libtransmission/rpc-server.c.orig libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++bool isHostWhitelistEnabled; + tr_portport; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++/* If password auth is enabled, any hostname is permitted. */ ++if (server->isPasswordEnabled) ++{ ++return true; ++} ++ ++char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++// If whitelist is disabled, no restrictions. ++if (!server->isHostWhitelistEnabled) ++return true; ++ ++/* No host header, invalid request. */ ++if (host == NULL) ++{ ++return false; ++} ++ ++/* Host header might include the port. */ ++char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++/* localhost or ipaddress is always acceptable. */ ++if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname)) ++{ ++tr_free(hostname); ++return true; ++} ++ ++/* Otherwise, hostname must be whitelisted. */ ++for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { ++if (tr_wildmat(hostname, l->data)) ++{ ++tr_free(hostname); ++return true; ++} ++}
[CVE pending] security patch for net/transmission
The attached patch against transmission 2.92 has been tested on amd64, but could use additional testing. It mitigates a DNS rebinding attack against transmission-daemon. Upstream is aware of the security issue but has not yet taken action to date. Index: Makefile === RCS file: /systems/cvs/ports/net/transmission/Makefile,v retrieving revision 1.120 diff -u -p -r1.120 Makefile --- Makefile16 Nov 2017 23:20:39 - 1.120 +++ Makefile13 Jan 2018 00:37:25 - @@ -9,7 +9,7 @@ DISTNAME= transmission-${VER} PKGNAME-main= transmission-${VER} PKGNAME-gtk= transmission-gtk-${VER} PKGNAME-qt=transmission-qt-${VER} -REVISION= 5 +REVISION= 6 CATEGORIES=net HOMEPAGE= http://www.transmissionbt.com/ MAINTAINER=Josh GrosseIndex: patches/patch-libtransmission_quark_c === RCS file: patches/patch-libtransmission_quark_c diff -N patches/patch-libtransmission_quark_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_c 13 Jan 2018 00:56:42 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.c +--- libtransmission/quark.c.orig libtransmission/quark.c +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, Index: patches/patch-libtransmission_quark_h === RCS file: patches/patch-libtransmission_quark_h diff -N patches/patch-libtransmission_quark_h --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_quark_h 13 Jan 2018 00:56:47 - @@ -0,0 +1,18 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/quark.h +--- libtransmission/quark.h.orig libtransmission/quark.h +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, Index: patches/patch-libtransmission_rpc-server_c === RCS file: patches/patch-libtransmission_rpc-server_c diff -N patches/patch-libtransmission_rpc-server_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-libtransmission_rpc-server_c 13 Jan 2018 00:56:55 - @@ -0,0 +1,203 @@ +$OpenBSD$ + +Mitigate dns rebinding attacks against daemon. CVE pends. +https://github.com/transmission/transmission/pull/468 +2.92 patches posted by https://github.com/lfam + +Index: libtransmission/rpc-server.c +--- libtransmission/rpc-server.c.orig libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++bool isHostWhitelistEnabled; + tr_portport; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++/* If password auth is enabled, any hostname is permitted. */ ++if (server->isPasswordEnabled) ++{ ++return true; ++} ++ ++char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++// If whitelist is disabled, no restrictions. ++if (!server->isHostWhitelistEnabled) ++return true; ++ ++/* No host header, invalid request. */ ++if (host == NULL) ++{ ++return false; ++} ++ ++/* Host header might include the port. */ ++char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++/* localhost or ipaddress is always acceptable. */ ++if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname)) ++{ ++tr_free(hostname); ++return true; ++} ++ ++/* Otherwise, hostname must be whitelisted. */ ++for (tr_list* l =