Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 180525 - net-p2p/transmission: <0.7 security DoS fixes (and more?)
Summary: net-p2p/transmission: <0.7 security DoS fixes (and more?)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-01 09:16 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-06-09 19:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-01 09:16:33 UTC 
Hi teams,
Steve Manzuik reported me that several security fixes are waiting in our transmission ebuilds.

http://transmission.m0k.org/trac/changeset/1534
Boundary errors, i haven't checked if all of them are exploitable, but it seems really non trivial.

http://transmission.m0k.org/trac/changeset/1536
Potential integer overflow during the multiplication. Here too, exploitation would be non trivial, if possible.

Arches, please test and mark stable a 0.7x version. 0.72 has been in portage without change for 1 month.
Or Saleem, do you prefer to stabilize another 0.7x version?

Thanks
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2007-06-01 11:09:41 UTC 
x86 stable
Comment 2 Peter Weller (RETIRED) gentoo-dev 2007-06-01 11:32:28 UTC 
amd64 done
Comment 3 René Nussbaumer (RETIRED) gentoo-dev 2007-06-02 21:27:28 UTC 
stable on ppc.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:56:47 UTC 
simple DoS, i vote noglsa. Please double-check my analysis (comment #0) and vote too.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-08 06:20:43 UTC 
Haven't had time to analyse the code snippets, but if it's a simple DoS I would vote NO too.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-09 17:30:57 UTC 
voting NO.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-09 19:24:02 UTC 
Closing. Feel free to reopen if the above analysis is not correct.