From ${URL} : The bdecode function in bdecode.cpp in libtorren allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. Upstream issue: https://github.com/arvidn/libtorrent/issues/2099 Upstream patch: https://github.com/arvidn/libtorrent/commit/ec30a5e9ec703afb8abefba757c6d401303b53db @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1.1.5 version bump which contains the fix added to tree in git commit ba2bd6037f03559b49ee56462e0ffd0606d71aa8
Note that net-p2p/deluge-1.3.15 has this: CDEPEND="<net-libs/libtorrent-rasterbar-1.1[python,${PYTHON_USEDEP}]"
(In reply to Sławomir Nizio from comment #2) > CDEPEND="<net-libs/libtorrent-rasterbar-1.1[python,${PYTHON_USEDEP}]" That may be sad for deluge users but at least it means they got their dependencies right.
x86 stable
amd64 stable
ppc64 stable
ppc stable
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf75899ab29cb7f927d6954b0969f5e3c73d3dc commit 7bf75899ab29cb7f927d6954b0969f5e3c73d3dc Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-02-04 17:10:25 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-02-04 17:38:55 +0000 net-libs/libtorrent-rasterbar: Cleanup vulnerable Stabilisation timeout. Closes: https://bugs.gentoo.org/623152 Package-Manager: Portage-2.3.24, Repoman-2.3.6 net-libs/libtorrent-rasterbar/Manifest | 1 - ...rent-rasterbar-1.0.11-boost-config-header.patch | 31 ---- ...libtorrent-rasterbar-1.0.11-fix-abicompat.patch | 157 --------------------- .../libtorrent-rasterbar-1.0.11-fix-test_ssl.patch | 21 --- .../libtorrent-rasterbar-1.0.11-move-header.patch | 34 ----- ...orrent-rasterbar-1.0.9-test_torrent_parse.patch | 41 ------ .../libtorrent-rasterbar-1.0.11-r1.ebuild | 117 --------------- 7 files changed, 402 deletions(-)
Cleanup done, I guess security can do their thing now.
(In reply to Andreas Sturmlechner from comment #9) > Cleanup done, I guess security can do their thing now. Thanks, Andreas! GLSA Vote: No
'what was I thinking?' Temporarily restored for bug 641336.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57d52572cbe8d2586523a66b0f6bbc6254f7edc0 commit 57d52572cbe8d2586523a66b0f6bbc6254f7edc0 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-02-22 21:47:44 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-02-22 21:48:41 +0000 net-libs/libtorrent-rasterbar: Cleanup vulnerable Closes: https://bugs.gentoo.org/623152 net-libs/libtorrent-rasterbar/Manifest | 1 - ...rent-rasterbar-1.0.11-boost-config-header.patch | 31 ---- ...libtorrent-rasterbar-1.0.11-fix-abicompat.patch | 157 --------------------- .../libtorrent-rasterbar-1.0.11-fix-test_ssl.patch | 21 --- .../libtorrent-rasterbar-1.0.11-move-header.patch | 34 ----- ...orrent-rasterbar-1.0.9-test_torrent_parse.patch | 41 ------ .../libtorrent-rasterbar-1.0.11-r1.ebuild | 117 --------------- 7 files changed, 402 deletions(-)
