898508 – <net-p2p/qbittorrent-4.5.2: Possible path traversal vulnerability

Bug 898508 - <net-p2p/qbittorrent-4.5.2: Possible path traversal vulnerability

Summary: <net-p2p/qbittorrent-4.5.2: Possible path traversal vulnerability

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:	PullRequest

Depends on:	905459
Blocks:
	Show dependency tree

Reported:	2023-03-01 00:57 UTC by Sam James
Modified:	2024-01-22 10:57 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/qbittorrent/qBittorrent/pull/18626 https://github.com/qbittorrent/qBittorrent/issues/18618 https://github.com/gentoo/gentoo/pull/29864 https://github.com/gentoo/gentoo/pull/30924
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-03-01 00:57:56 UTC

A path disclosure vulnerability has been found in qbittorrent, see https://github.com/qbittorrent/qBittorrent/issues/18618.

It might be Windows-only (given the split on '/' but not '\') but it's not explicit, so better to be safe than sorry until clarified.

Fixed in the 4.5.2 release, please bump.

Comment 1 Larry the Git Cow gentoo-dev

2023-03-01 22:34:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a

commit 9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a
Author:     Joe Kappus <joe@wt.gd>
AuthorDate: 2023-03-01 01:42:59 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2023-03-01 22:33:58 +0000

    net-p2p/qbittorrent: add 4.5.2
    
    Bug: https://bugs.gentoo.org/898508
    Signed-off-by: Joe Kappus <joe@wt.gd>
    Closes: https://github.com/gentoo/gentoo/pull/29864
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-p2p/qbittorrent/Manifest                 |   1 +
 net-p2p/qbittorrent/qbittorrent-4.5.2.ebuild | 103 +++++++++++++++++++++++++++
 2 files changed, 104 insertions(+)

Comment 2 Piotr Karbowski (RETIRED) gentoo-dev

2023-03-01 22:41:00 UTC

For future reference, feel free to merge pull requests or do other related changes as you see fit without even waiting for me, especially when it comes to security. I am usually around on weekends and hardly rbrt during weekdays, and I rather not leave such bugs to rot. 

This applies as much to this package as to any other where I am the singular listed maintainer, same goes for jumping as another maintainer of packages where there's only me listed.

Comment 3 John Helmert III archtester

2023-05-07 20:25:53 UTC

Please cleanup

Comment 4 Joe Kappus 2023-05-07 20:53:03 UTC

I added a PR to remove the old versions.

Comment 5 Larry the Git Cow gentoo-dev

2023-05-08 05:49:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d42b296008284e6badec71a7ef1dd133540b8fa6

commit d42b296008284e6badec71a7ef1dd133540b8fa6
Author:     Joe Kappus <joe@wt.gd>
AuthorDate: 2023-05-07 20:49:18 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2023-05-08 05:49:11 +0000

    net-p2p/qbittorrent: drop 4.4.5-r2, 4.5.1
    
    Remove vulnerable versions.
    
    Bug: https://bugs.gentoo.org/898508
    Signed-off-by: Joe Kappus <joe@wt.gd>
    Closes: https://github.com/gentoo/gentoo/pull/30924
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-p2p/qbittorrent/Manifest                    |   2 -
 net-p2p/qbittorrent/qbittorrent-4.4.5-r2.ebuild | 103 ------------------------
 net-p2p/qbittorrent/qbittorrent-4.5.1.ebuild    | 103 ------------------------
 3 files changed, 208 deletions(-)