Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 898508 - <net-p2p/qbittorrent-4.5.2: Possible path traversal vulnerability
Summary: <net-p2p/qbittorrent-4.5.2: Possible path traversal vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords: PullRequest
Depends on: 905459
Blocks:
  Show dependency tree
 
Reported: 2023-03-01 00:57 UTC by Sam James
Modified: 2025-03-23 10:29 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-01 00:57:56 UTC
A path disclosure vulnerability has been found in qbittorrent, see https://github.com/qbittorrent/qBittorrent/issues/18618.

It might be Windows-only (given the split on '/' but not '\') but it's not explicit, so better to be safe than sorry until clarified.

Fixed in the 4.5.2 release, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-01 22:34:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a

commit 9149a2e696c66a4bda804fcf44c0ec6b3bf75d9a
Author:     Joe Kappus <joe@wt.gd>
AuthorDate: 2023-03-01 01:42:59 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2023-03-01 22:33:58 +0000

    net-p2p/qbittorrent: add 4.5.2
    
    Bug: https://bugs.gentoo.org/898508
    Signed-off-by: Joe Kappus <joe@wt.gd>
    Closes: https://github.com/gentoo/gentoo/pull/29864
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-p2p/qbittorrent/Manifest                 |   1 +
 net-p2p/qbittorrent/qbittorrent-4.5.2.ebuild | 103 +++++++++++++++++++++++++++
 2 files changed, 104 insertions(+)
Comment 2 Piotr Karbowski (RETIRED) gentoo-dev 2023-03-01 22:41:00 UTC
For future reference, feel free to merge pull requests or do other related changes as you see fit without even waiting for me, especially when it comes to security. I am usually around on weekends and hardly rbrt during weekdays, and I rather not leave such bugs to rot. 

This applies as much to this package as to any other where I am the singular listed maintainer, same goes for jumping as another maintainer of packages where there's only me listed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-07 20:25:53 UTC
Please cleanup
Comment 4 Joe Kappus 2023-05-07 20:53:03 UTC
I added a PR to remove the old versions.
Comment 5 Larry the Git Cow gentoo-dev 2023-05-08 05:49:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d42b296008284e6badec71a7ef1dd133540b8fa6

commit d42b296008284e6badec71a7ef1dd133540b8fa6
Author:     Joe Kappus <joe@wt.gd>
AuthorDate: 2023-05-07 20:49:18 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2023-05-08 05:49:11 +0000

    net-p2p/qbittorrent: drop 4.4.5-r2, 4.5.1
    
    Remove vulnerable versions.
    
    Bug: https://bugs.gentoo.org/898508
    Signed-off-by: Joe Kappus <joe@wt.gd>
    Closes: https://github.com/gentoo/gentoo/pull/30924
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 net-p2p/qbittorrent/Manifest                    |   2 -
 net-p2p/qbittorrent/qbittorrent-4.4.5-r2.ebuild | 103 ------------------------
 net-p2p/qbittorrent/qbittorrent-4.5.1.ebuild    | 103 ------------------------
 3 files changed, 208 deletions(-)
Comment 6 Filip Kobierski 2025-03-21 23:33:22 UTC
Can I somehow help in closing this?
Comment 7 Eli Schwartz gentoo-dev 2025-03-23 02:25:19 UTC
It is at "investigating whether a GLSA is needed" status, so that's up to the security team with our suggestions.

My suggestion:

(In reply to Sam James from comment #0)
> It might be Windows-only (given the split on '/' but not '\') but it's not
> explicit, so better to be safe than sorry until clarified.


The upstream project analyzed it as: "Seems the exploit only affect Windows builds, I'm updating the issue label."

Which aligns with your conclusion as well. I think that pending further information (after two years unlikely there will be any information that wasn't already discovered) we should indeed assume no GLSA was ever needed, and close this.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-23 10:29:32 UTC
wfm