+++ This bug was initially created as a clone of Bug #273156 +++ libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters. Deluge ships a copy of rb_libtorrent.
upstream: 1.1.9 has been released to address this. *deluge-1.1.9 (16 Jun 2009) 16 Jun 2009; Raúl Porcel <armin76@gentoo.org> +deluge-1.1.9.ebuild, deluge-9999.ebuild: Version bump, add missing dep wrt #273444
Arches, please test and mark stable: =net-p2p/deluge-1.1.9 Target keywords : "amd64 x86"
x86 stable
amd64 stable.
glsa: YES
There is no <net-p2p/deluge-1.1.9 in portage any more.
This was published as glsa-200907-14: http://www.gentoo.org/security/en/glsa/glsa-200907-14.xml