A path disclosure vulnerability has been found in qbittorrent, see https://github.com/qbittorrent/qBittorrent/issues/18618. It might be Windows-only (given the split on '/' but not '\') but it's not explicit, so better to be safe than sorry until clarified. Fixed in the 4.5.2 release, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a commit 9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a Author: Joe Kappus <joe@wt.gd> AuthorDate: 2023-03-01 01:42:59 +0000 Commit: Piotr Karbowski <slashbeast@gentoo.org> CommitDate: 2023-03-01 22:33:58 +0000 net-p2p/qbittorrent: add 4.5.2 Bug: https://bugs.gentoo.org/898508 Signed-off-by: Joe Kappus <joe@wt.gd> Closes: https://github.com/gentoo/gentoo/pull/29864 Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org> net-p2p/qbittorrent/Manifest | 1 + net-p2p/qbittorrent/qbittorrent-4.5.2.ebuild | 103 +++++++++++++++++++++++++++ 2 files changed, 104 insertions(+)
For future reference, feel free to merge pull requests or do other related changes as you see fit without even waiting for me, especially when it comes to security. I am usually around on weekends and hardly rbrt during weekdays, and I rather not leave such bugs to rot. This applies as much to this package as to any other where I am the singular listed maintainer, same goes for jumping as another maintainer of packages where there's only me listed.
Please cleanup
I added a PR to remove the old versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d42b296008284e6badec71a7ef1dd133540b8fa6 commit d42b296008284e6badec71a7ef1dd133540b8fa6 Author: Joe Kappus <joe@wt.gd> AuthorDate: 2023-05-07 20:49:18 +0000 Commit: Piotr Karbowski <slashbeast@gentoo.org> CommitDate: 2023-05-08 05:49:11 +0000 net-p2p/qbittorrent: drop 4.4.5-r2, 4.5.1 Remove vulnerable versions. Bug: https://bugs.gentoo.org/898508 Signed-off-by: Joe Kappus <joe@wt.gd> Closes: https://github.com/gentoo/gentoo/pull/30924 Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org> net-p2p/qbittorrent/Manifest | 2 - net-p2p/qbittorrent/qbittorrent-4.4.5-r2.ebuild | 103 ------------------------ net-p2p/qbittorrent/qbittorrent-4.5.1.ebuild | 103 ------------------------ 3 files changed, 208 deletions(-)
Can I somehow help in closing this?
It is at "investigating whether a GLSA is needed" status, so that's up to the security team with our suggestions. My suggestion: (In reply to Sam James from comment #0) > It might be Windows-only (given the split on '/' but not '\') but it's not > explicit, so better to be safe than sorry until clarified. The upstream project analyzed it as: "Seems the exploit only affect Windows builds, I'm updating the issue label." Which aligns with your conclusion as well. I think that pending further information (after two years unlikely there will be any information that wasn't already discovered) we should indeed assume no GLSA was ever needed, and close this.
wfm
