Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516822 - <net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)
Summary: <net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-10 05:00 UTC by Samuli Suominen (RETIRED)
Modified: 2015-01-11 00:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2014-07-10 05:00:41 UTC
2.84 is same as 2.83 but with security bug fixed:

http://trac.transmissionbt.com/wiki/Changes#version-2.84

Transmission 2.84 (2014/07/01)

Fix peer communication vulnerability (no known exploits) reported by Ben Hawkes
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-07-10 05:02:37 UTC
Please test and stabilize:

=net-p2p/transmission-2.84
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-10 06:05:01 UTC
Tried to find the vulnerability. This looks like it:

 proof-of-concept for tr_bitfieldEnsureNthBitAlloced overflow:

     tr_bitfieldEnsureBitsAlloced (b, nth + 1);
     ...
     b->bits[nth >> 3u] |= (0x80 >> (nth & 7u));

   results in a 1-bit out-of-bound write at constant address 0x1fffffff
   
   affects 32-bit systems only due to int index being cast to size_t nth

   its also possible to trigger the write relative to an allocated chunk
   by sending a valid response to the first piece request and triggering
   the bug on the second piece request (such that b->bits is allocated)

   submission acts as a seeding peer for the provided torrent file

   by default, transmission clients will use uTP and encryption, which
   submission doesn't support. tested using the following client:

     transmission-2.83/daemon/transmission-daemon -et --no-utp -f -c .

   thanks!

   - hawkes (hawkes@inertiawar.com)
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-07-10 06:08:32 UTC
Arches, please test and mark stable:

=net-p2p/transmission-2.84

Target Keywords : "amd64 ppc ppc64 x86"

Thank you!
Comment 4 Agostino Sarubbo gentoo-dev 2014-07-12 10:55:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-07-12 10:55:40 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-08-08 21:35:57 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:12 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2014-08-10 05:17:21 UTC
cleanup done
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-08-17 05:50:22 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-25 20:16:17 UTC
GLSA vote: No
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 00:12:23 UTC
CVE-2014-4909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4909):
  Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in
  bitfield.c in Transmission before 2.84 allows remote attackers to cause a
  denial of service and possibly execute arbitrary code via a crafted peer
  message, which triggers an out-of-bounds write.