Re: [CVE pending] security patch for net/transmission

2018-01-15 Thread Josh Grosse 
Assigned CVE-2018-5702, and merged into upstream's HEAD for deployment
as a milestone in their upcoming release 2.93.

Re: [CVE pending] security patch for net/transmission

2018-01-15 Thread Josh Grosse 
On Mon, Jan 15, 2018 at 02:45:59PM +, Stuart Henderson wrote:
> Unless you know it's safe not to, it's probably best to bump all
> subpackages (or just remove REVISION-main and set REVISION=7).

Thanks for the suggestion!  A "v3" patch set is attached.
 
> Does this need more testing or are you happy with it now?
 
I haven't had much time to test. I would like at least
a second person's review before considering this to be
commit-ready.
Index: Makefile
===
RCS file: /systems/cvs/ports/net/transmission/Makefile,v
retrieving revision 1.122
diff -u -p -r1.122 Makefile
--- Makefile12 Jan 2018 16:09:42 -  1.122
+++ Makefile15 Jan 2018 14:51:48 -
@@ -9,8 +9,7 @@ DISTNAME=   transmission-${VER}
 PKGNAME-main=  transmission-${VER}
 PKGNAME-gtk=   transmission-gtk-${VER}
 PKGNAME-qt=transmission-qt-${VER}
-REVISION=  5
-REVISION-main= 6
+REVISION=  7
 CATEGORIES=net
 HOMEPAGE=  http://www.transmissionbt.com/
 MAINTAINER=Josh Grosse 
Index: patches/patch-libtransmission_quark_c
===
RCS file: patches/patch-libtransmission_quark_c
diff -N patches/patch-libtransmission_quark_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_c   13 Jan 2018 00:58:51 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.c
+--- libtransmission/quark.c.orig
 libtransmission/quark.c
+@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =
+   { "rpc-authentication-required", 27 },
+   { "rpc-bind-address", 16 },
+   { "rpc-enabled", 11 },
++  { "rpc-host-whitelist", 18 },
++  { "rpc-host-whitelist-enabled", 26 },
+   { "rpc-password", 12 },
+   { "rpc-port", 8 },
+   { "rpc-url", 7 },
Index: patches/patch-libtransmission_quark_h
===
RCS file: patches/patch-libtransmission_quark_h
diff -N patches/patch-libtransmission_quark_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_h   13 Jan 2018 00:58:51 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.h
+--- libtransmission/quark.h.orig
 libtransmission/quark.h
+@@ -291,6 +291,8 @@ enum
+   TR_KEY_rpc_authentication_required,
+   TR_KEY_rpc_bind_address,
+   TR_KEY_rpc_enabled,
++  TR_KEY_rpc_host_whitelist,
++  TR_KEY_rpc_host_whitelist_enabled,
+   TR_KEY_rpc_password,
+   TR_KEY_rpc_port,
+   TR_KEY_rpc_url,
Index: patches/patch-libtransmission_rpc-server_c
===
RCS file: patches/patch-libtransmission_rpc-server_c
diff -N patches/patch-libtransmission_rpc-server_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_rpc-server_c  13 Jan 2018 00:58:51 -
@@ -0,0 +1,203 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/rpc-server.c
+--- libtransmission/rpc-server.c.orig
 libtransmission/rpc-server.c
+@@ -52,6 +52,7 @@ struct tr_rpc_server
+ bool   isEnabled;
+ bool   isPasswordEnabled;
+ bool   isWhitelistEnabled;
++bool   isHostWhitelistEnabled;
+ tr_portport;
+ char * url;
+ struct in_addr bindAddress;
+@@ -63,6 +64,7 @@ struct tr_rpc_server
+ char * password;
+ char * whitelistStr;
+ tr_list  * whitelist;
++tr_list  * hostWhitelist;
+ 
+ char * sessionId;
+ time_t sessionIdExpiresAt;
+@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const 
+   return false;
+ }
+ 
++static bool isHostnameAllowed(tr_rpc_server const* server, struct 
evhttp_request* req)
++{
++/* If password auth is enabled, any hostname is permitted. */
++if (server->isPasswordEnabled)
++{
++return true;
++}
++
++char const* const host = evhttp_find_header(req->input_headers, "Host");
++
++// If whitelist is disabled, no restrictions.
++if (!server->isHostWhitelistEnabled)
++return true;
++
++/* No host header, invalid request. */
++if (host == NULL)
++{
++return false;
++}
++
++/* Host header might include the port. */
++char* const hostname = tr_strndup(host, strcspn(host, ":"));
++
++/* localhost or ipaddress is always acceptable. */
++if (strcmp(hostname, "localhost") == 0 ||

Re: [CVE pending] security patch for net/transmission

2018-01-15 Thread Stuart Henderson 
On 2018/01/15 09:08, Josh Grosse wrote:
> Revised to eliminate conflict with Makefile 1.122, revised
> after the patch had been built.

> Index: Makefile
> ===
> RCS file: /systems/cvs/ports/net/transmission/Makefile,v
> retrieving revision 1.122
> diff -u -p -r1.122 Makefile
> --- Makefile  12 Jan 2018 16:09:42 -  1.122
> +++ Makefile  15 Jan 2018 14:03:29 -
> @@ -10,7 +10,7 @@ PKGNAME-main=   transmission-${VER}
>  PKGNAME-gtk= transmission-gtk-${VER}
>  PKGNAME-qt=  transmission-qt-${VER}
>  REVISION=5
> -REVISION-main=   6
> +REVISION-main=   7

Unless you know it's safe not to, it's probably best to bump all
subpackages (or just remove REVISION-main and set REVISION=7).

Does this need more testing or are you happy with it now?

Re: [CVE pending] security patch for net/transmission

2018-01-15 Thread Josh Grosse 
Revised to eliminate conflict with Makefile 1.122, revised
after the patch had been built.
Index: Makefile
===
RCS file: /systems/cvs/ports/net/transmission/Makefile,v
retrieving revision 1.122
diff -u -p -r1.122 Makefile
--- Makefile12 Jan 2018 16:09:42 -  1.122
+++ Makefile15 Jan 2018 14:03:29 -
@@ -10,7 +10,7 @@ PKGNAME-main= transmission-${VER}
 PKGNAME-gtk=   transmission-gtk-${VER}
 PKGNAME-qt=transmission-qt-${VER}
 REVISION=  5
-REVISION-main= 6
+REVISION-main= 7
 CATEGORIES=net
 HOMEPAGE=  http://www.transmissionbt.com/
 MAINTAINER=Josh Grosse 
Index: patches/patch-libtransmission_quark_c
===
RCS file: patches/patch-libtransmission_quark_c
diff -N patches/patch-libtransmission_quark_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_c   13 Jan 2018 00:58:51 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.c
+--- libtransmission/quark.c.orig
 libtransmission/quark.c
+@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =
+   { "rpc-authentication-required", 27 },
+   { "rpc-bind-address", 16 },
+   { "rpc-enabled", 11 },
++  { "rpc-host-whitelist", 18 },
++  { "rpc-host-whitelist-enabled", 26 },
+   { "rpc-password", 12 },
+   { "rpc-port", 8 },
+   { "rpc-url", 7 },
Index: patches/patch-libtransmission_quark_h
===
RCS file: patches/patch-libtransmission_quark_h
diff -N patches/patch-libtransmission_quark_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_h   13 Jan 2018 00:58:51 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.h
+--- libtransmission/quark.h.orig
 libtransmission/quark.h
+@@ -291,6 +291,8 @@ enum
+   TR_KEY_rpc_authentication_required,
+   TR_KEY_rpc_bind_address,
+   TR_KEY_rpc_enabled,
++  TR_KEY_rpc_host_whitelist,
++  TR_KEY_rpc_host_whitelist_enabled,
+   TR_KEY_rpc_password,
+   TR_KEY_rpc_port,
+   TR_KEY_rpc_url,
Index: patches/patch-libtransmission_rpc-server_c
===
RCS file: patches/patch-libtransmission_rpc-server_c
diff -N patches/patch-libtransmission_rpc-server_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_rpc-server_c  13 Jan 2018 00:58:51 -
@@ -0,0 +1,203 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/rpc-server.c
+--- libtransmission/rpc-server.c.orig
 libtransmission/rpc-server.c
+@@ -52,6 +52,7 @@ struct tr_rpc_server
+ bool   isEnabled;
+ bool   isPasswordEnabled;
+ bool   isWhitelistEnabled;
++bool   isHostWhitelistEnabled;
+ tr_portport;
+ char * url;
+ struct in_addr bindAddress;
+@@ -63,6 +64,7 @@ struct tr_rpc_server
+ char * password;
+ char * whitelistStr;
+ tr_list  * whitelist;
++tr_list  * hostWhitelist;
+ 
+ char * sessionId;
+ time_t sessionIdExpiresAt;
+@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const 
+   return false;
+ }
+ 
++static bool isHostnameAllowed(tr_rpc_server const* server, struct 
evhttp_request* req)
++{
++/* If password auth is enabled, any hostname is permitted. */
++if (server->isPasswordEnabled)
++{
++return true;
++}
++
++char const* const host = evhttp_find_header(req->input_headers, "Host");
++
++// If whitelist is disabled, no restrictions.
++if (!server->isHostWhitelistEnabled)
++return true;
++
++/* No host header, invalid request. */
++if (host == NULL)
++{
++return false;
++}
++
++/* Host header might include the port. */
++char* const hostname = tr_strndup(host, strcspn(host, ":"));
++
++/* localhost or ipaddress is always acceptable. */
++if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") 
== 0 || tr_addressIsIP(hostname))
++{
++tr_free(hostname);
++return true;
++}
++
++/* Otherwise, hostname must be whitelisted. */
++for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {
++if (tr_wildmat(hostname, l->data))
++{
++tr_free(hostname);
++return true;
++}
++}

[CVE pending] security patch for net/transmission

2018-01-14 Thread Josh Grosse 
The attached patch against transmission 2.92 has been tested
on amd64, but could use additional testing.  It mitigates a DNS
rebinding attack against transmission-daemon.

Upstream is aware of the security issue but has not yet taken
action to date.
Index: Makefile
===
RCS file: /systems/cvs/ports/net/transmission/Makefile,v
retrieving revision 1.120
diff -u -p -r1.120 Makefile
--- Makefile16 Nov 2017 23:20:39 -  1.120
+++ Makefile13 Jan 2018 00:37:25 -
@@ -9,7 +9,7 @@ DISTNAME=   transmission-${VER}
 PKGNAME-main=  transmission-${VER}
 PKGNAME-gtk=   transmission-gtk-${VER}
 PKGNAME-qt=transmission-qt-${VER}
-REVISION=  5
+REVISION=  6
 CATEGORIES=net
 HOMEPAGE=  http://www.transmissionbt.com/
 MAINTAINER=Josh Grosse 
Index: patches/patch-libtransmission_quark_c
===
RCS file: patches/patch-libtransmission_quark_c
diff -N patches/patch-libtransmission_quark_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_c   13 Jan 2018 00:56:42 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.c
+--- libtransmission/quark.c.orig
 libtransmission/quark.c
+@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =
+   { "rpc-authentication-required", 27 },
+   { "rpc-bind-address", 16 },
+   { "rpc-enabled", 11 },
++  { "rpc-host-whitelist", 18 },
++  { "rpc-host-whitelist-enabled", 26 },
+   { "rpc-password", 12 },
+   { "rpc-port", 8 },
+   { "rpc-url", 7 },
Index: patches/patch-libtransmission_quark_h
===
RCS file: patches/patch-libtransmission_quark_h
diff -N patches/patch-libtransmission_quark_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_quark_h   13 Jan 2018 00:56:47 -
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/quark.h
+--- libtransmission/quark.h.orig
 libtransmission/quark.h
+@@ -291,6 +291,8 @@ enum
+   TR_KEY_rpc_authentication_required,
+   TR_KEY_rpc_bind_address,
+   TR_KEY_rpc_enabled,
++  TR_KEY_rpc_host_whitelist,
++  TR_KEY_rpc_host_whitelist_enabled,
+   TR_KEY_rpc_password,
+   TR_KEY_rpc_port,
+   TR_KEY_rpc_url,
Index: patches/patch-libtransmission_rpc-server_c
===
RCS file: patches/patch-libtransmission_rpc-server_c
diff -N patches/patch-libtransmission_rpc-server_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-libtransmission_rpc-server_c  13 Jan 2018 00:56:55 -
@@ -0,0 +1,203 @@
+$OpenBSD$
+
+Mitigate dns rebinding attacks against daemon.  CVE pends.
+https://github.com/transmission/transmission/pull/468
+2.92 patches posted by https://github.com/lfam
+
+Index: libtransmission/rpc-server.c
+--- libtransmission/rpc-server.c.orig
 libtransmission/rpc-server.c
+@@ -52,6 +52,7 @@ struct tr_rpc_server
+ bool   isEnabled;
+ bool   isPasswordEnabled;
+ bool   isWhitelistEnabled;
++bool   isHostWhitelistEnabled;
+ tr_portport;
+ char * url;
+ struct in_addr bindAddress;
+@@ -63,6 +64,7 @@ struct tr_rpc_server
+ char * password;
+ char * whitelistStr;
+ tr_list  * whitelist;
++tr_list  * hostWhitelist;
+ 
+ char * sessionId;
+ time_t sessionIdExpiresAt;
+@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const 
+   return false;
+ }
+ 
++static bool isHostnameAllowed(tr_rpc_server const* server, struct 
evhttp_request* req)
++{
++/* If password auth is enabled, any hostname is permitted. */
++if (server->isPasswordEnabled)
++{
++return true;
++}
++
++char const* const host = evhttp_find_header(req->input_headers, "Host");
++
++// If whitelist is disabled, no restrictions.
++if (!server->isHostWhitelistEnabled)
++return true;
++
++/* No host header, invalid request. */
++if (host == NULL)
++{
++return false;
++}
++
++/* Host header might include the port. */
++char* const hostname = tr_strndup(host, strcspn(host, ":"));
++
++/* localhost or ipaddress is always acceptable. */
++if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") 
== 0 || tr_addressIsIP(hostname))
++{
++tr_free(hostname);
++return true;
++}
++
++/* Otherwise, hostname must be whitelisted. */
++for (tr_list* l =