""" Hi all, qBittorrent, on all platforms, did not verify any SSL certificates in its DownloadManager class from 2010 until October 2024. If it failed to verify a cert, it simply logged an error and proceeded. To be exploitable, this bug requires either MITM access or DNS spoofing attacks, but under those conditions (seen regularly in some countries), impacts are severe. The primary impact is single-click RCE for Windows builds from 2015 onward, when prompted to update python the exe is downloaded from a hardcoded URL, executed, and then deleted afterwards. The secondary impact for all platforms is the update RSS feed can be poisoned with malicious update URLs which the user will open in their browser if they accept the prompt to update. This is browser hijacking and arbitrary exe delivery to a user who would likely trust whatever URL this software sent them to. The tertiary impact is this means that an older CVE (CVE-2019-13640 <https://www.cvedetails.com/cve/CVE-2019-13640/>) which allowed remote command execution via shell metacharacters could have been exploited by (government) attackers conducting either MITM or DNS spoofing attacks at the time, instead of only by the author of the feed. Full write up is here: https://sharpsec.run/rce-vulnerability-in-qbittorrent/ I have applied for a CVE but have had no response yet. Mitigation is to use any other torrent client. The latest release is patched against this issue. Credit: Jordan Sharp (finder) """
I've done some additional research. The program update checker (secondary impact) is only compiled inside of: #if defined(Q_OS_WIN) || defined(Q_OS_MACOS) So, Primary impact: inapplicable for two reasons, a) Windows specific, b) requires python to not be available but Gentoo requires python Secondary impact: limited to Gentoo Prefix on macOS. Requires user of Gentoo Prefix to trust a download url to download a prebuilt executable (dmg?) instead of cp'ing the ebuild to bump the version and running "pkgdev manifest". Note as well that this package provides USE="verify-sig" support. Tertiary impact: defined as only relevant to qbittorrent 4.1.6 and under, and makes CVE-2019-13640 worse. Since we don't package that version, it doesn't matter to us.
As Eli pointed out, the primary and teritary impacts do not affect us. The secondary impact requires 1. MITM or DNS spoofing 2. the user to use RSS (it's disabled by default) and affects prefix users on MacOS. What the researcher calls "Browser Hijacking + Executable Download" seems not to be likely to happen in my opinion. If someone uses a "third party" package manager on MacOS they probably avoid installing software manually. If someone uses a source based package manager in general I think that they will avoid downloading updates in a binary form. What the researcher calls "RSS Feeds (Arbitrary URL injection)" is in my opinion the biggest threat here. I am unfamiliar with this feature so I do not have much to write about it. The source claims that this affects all builds between 3.2.1 and 5.0.0 (inclusive), so I suggest changing the title to include <= 5.0.0. I will make a PR adding 5.0.1 and dropping 5.0.0.
(In reply to Filip Kobierski from comment #2) Thank you both for explaining! > The source claims that this affects all builds between 3.2.1 and 5.0.0 > (inclusive), so I suggest changing the title to include <= 5.0.0. > Per https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide#Bug_summary_rules, for security bugs, the rule is "first fixed version _in tree_". .
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcbf7ae2732a812ff5219eb96d145dd07b1dcefe commit dcbf7ae2732a812ff5219eb96d145dd07b1dcefe Author: Filip Kobierski <fkobi@pm.me> AuthorDate: 2024-10-31 13:58:18 +0000 Commit: Eli Schwartz <eschwartz@gentoo.org> CommitDate: 2024-11-01 16:24:41 +0000 net-p2p/qbittorrent: add 5.0.1 Bug: https://bugs.gentoo.org/942569 Signed-off-by: Filip Kobierski <fkobi@pm.me> Closes: https://github.com/gentoo/gentoo/pull/39172 Signed-off-by: Eli Schwartz <eschwartz@gentoo.org> net-p2p/qbittorrent/Manifest | 2 + net-p2p/qbittorrent/qbittorrent-5.0.1.ebuild | 135 +++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57c41e454c9310e6a5975c42af131e96ee8db570 commit 57c41e454c9310e6a5975c42af131e96ee8db570 Author: Filip Kobierski <fkobi@pm.me> AuthorDate: 2024-10-31 13:44:08 +0000 Commit: Eli Schwartz <eschwartz@gentoo.org> CommitDate: 2024-11-01 16:24:41 +0000 net-p2p/qbittorrent: drop 5.0.0 due to vulnerability It was never stable Bug: https://bugs.gentoo.org/942569 Signed-off-by: Filip Kobierski <fkobi@pm.me> Signed-off-by: Eli Schwartz <eschwartz@gentoo.org> net-p2p/qbittorrent/Manifest | 2 - net-p2p/qbittorrent/qbittorrent-5.0.0.ebuild | 135 --------------------------- 2 files changed, 137 deletions(-)
Created attachment 907813 [details, diff] qt5-qbittorrent-github-3d9e9715b4660b8f57c3648a62a4d83c67db9de5-backport.patch Here's a backport of the fix for qbittorrent-4.6.7, the last one with qt5 support.
(In reply to stefan11111 from comment #5) > Created attachment 907813 [details, diff] [details, diff] > qt5-qbittorrent-github-3d9e9715b4660b8f57c3648a62a4d83c67db9de5-backport. > patch > > Here's a backport of the fix for qbittorrent-4.6.7, the last one with qt5 > support. Opened a PR with this backport: https://github.com/gentoo/gentoo/pull/39194
(In reply to stefan11111 from comment #6) > (In reply to stefan11111 from comment #5) > > Created attachment 907813 [details, diff] [details, diff] [details, diff] > > qt5-qbittorrent-github-3d9e9715b4660b8f57c3648a62a4d83c67db9de5-backport. > > patch > > > > Here's a backport of the fix for qbittorrent-4.6.7, the last one with qt5 > > support. > > Opened a PR with this backport: > https://github.com/gentoo/gentoo/pull/39194 Opened a new PR, after I was given some suggestions in the first PR: https://github.com/gentoo/gentoo/pull/39198
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9f0b164f2c0df3304af6e8f5ffa388c85cf401d commit a9f0b164f2c0df3304af6e8f5ffa388c85cf401d Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2025-01-28 19:44:36 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2025-02-02 09:11:18 +0000 net-p2p/qbittorrent: drop 4.6.7 Closes: https://github.com/gentoo/gentoo/pull/39198 Bug: https://bugs.gentoo.org/942569 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-p2p/qbittorrent/Manifest | 2 - net-p2p/qbittorrent/qbittorrent-4.6.7.ebuild | 145 --------------------------- 2 files changed, 147 deletions(-)
We done now?
(In reply to Eli Schwartz from comment #9) > We done now? Yes, thanks!
