593288 – (CVE-2016-7164) <net-libs/libtorrent-rasterbar-1.0.11-r1: Segmentation fault caused by malformed GZIP encoded response

Bug 593288 (CVE-2016-7164) - <net-libs/libtorrent-rasterbar-1.0.11-r1: Segmentation fault caused by malformed GZIP encoded response

Summary: <net-libs/libtorrent-rasterbar-1.0.11-r1: Segmentation fault caused by malfor...

Status:	RESOLVED FIXED

Alias:	CVE-2016-7164

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-09-09 13:34 UTC by Agostino Sarubbo
Modified:	2017-10-29 19:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=net-libs/libtorrent-rasterbar-1.0.11-r1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-09-09 13:34:10 UTC

From ${URL} :

A segmentation fault happens when receiving malformed GZIP encoded response. An attacker-controlled torrent tracker can crash victim torrent clients by 
sending malformed GZIP responses.

Upstream issue:

https://github.com/arvidn/libtorrent/issues/1021

Upstream patch:

https://github.com/arvidn/libtorrent/commit/debf3c6e3688aab8394fe5c47737625faffe6f9e

CVE assignment:

http://seclists.org/oss-sec/2016/q3/443


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-18 17:50:28 UTC

@ maintainer(s): A public release (v1.1.1) containing the fix was released. Also there's a backport for v1.0.x: https://github.com/arvidn/libtorrent/commit/2d7d0128adafb7574d0e5a66390188cdfb8caad6

Comment 2 Andreas Sturmlechner gentoo-dev

2017-03-18 23:20:46 UTC

Fixed version 1.0.11 was added to tree on 2017-03-07, please add arches as you see fit.

Comment 3 Diogo Pereira 2017-08-21 00:43:05 UTC

Please stabilize

Comment 4 Andreas Sturmlechner gentoo-dev

2017-10-20 22:33:23 UTC

sigh

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-22 20:33:22 UTC

x86 stable

Comment 6 Manuel Rüger (RETIRED) gentoo-dev

2017-10-23 12:12:45 UTC

Stable on amd64

Comment 7 Markus Meier gentoo-dev

2017-10-24 17:36:09 UTC

arm stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-28 20:53:51 UTC

ppc/ppc64 stable

Comment 9 Andreas Sturmlechner gentoo-dev

2017-10-28 22:08:45 UTC

Cleanup done in git commit 8707e66100a153095d6b2b8582a730c4b10fac4c

Comment 10 Aleksandr Wagner (Kivak) 2017-10-28 23:10:53 UTC

Cleanup and stabilization done, thank you all.

@ Security, please vote on glsa.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-10-29 19:06:04 UTC

(In reply to Andreas Sturmlechner from comment #9)
> Cleanup done in git commit 8707e66100a153095d6b2b8582a730c4b10fac4c

Thanks, Andreas!

GLSA Vote: No.