Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 193879 Details for
Bug 273156
<net-libs/rb_libtorrent-0.13-r1: Directory traversal (CVE-2009-1760)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
rb_libtorrent-0.13-CVE-2009-1760.patch
rb_libtorrent-0.13-CVE-2009-1760.patch (text/plain), 2.38 KB, created by
Robert Buchholz (RETIRED)
on 2009-06-08 10:53:29 UTC
(
hide
)
Description:
rb_libtorrent-0.13-CVE-2009-1760.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-06-08 10:53:29 UTC
Size:
2.38 KB
patch
obsolete
>From 160ea4fe2beb1d433c96fc432772fd0122421c95 Mon Sep 17 00:00:00 2001 >From: Robert Buchholz <rbu@gentoo.org> >Date: Mon, 8 Jun 2009 12:04:41 +0200 >Subject: [PATCH] backport CVE-2009-1760 fix from r3621 > >--- > src/torrent_info.cpp | 47 ++++++++++++++++++++++++++++------------------- > 1 files changed, 28 insertions(+), 19 deletions(-) > >diff --git a/src/torrent_info.cpp b/src/torrent_info.cpp >index 57c8a97..fc6d284 100755 >--- a/src/torrent_info.cpp >+++ b/src/torrent_info.cpp >@@ -39,6 +39,7 @@ POSSIBILITY OF SUCH DAMAGE. > #include <iterator> > #include <algorithm> > #include <set> >+#include <string> > > #ifdef _MSC_VER > #pragma warning(push, 1) >@@ -74,6 +75,29 @@ namespace > str += 0x80 | (chr & 0x3f); > } > >+ bool valid_path_element(std::string const& element) >+ { >+ if (element.empty() >+ || element == "." || element == ".." >+ || element[0] == '/' || element[0] == '\\' >+ || element[element.size()-1] == ':') >+ return false; >+ return true; >+ } >+ >+ fs::path sanitize_path(fs::path const& p) >+ { >+ fs::path new_path; >+ for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i) >+ { >+ if (!valid_path_element(*i)) continue; >+ std::string pe = *i; >+ new_path /= pe; >+ } >+ TORRENT_ASSERT(!new_path.is_complete()); >+ return new_path; >+ } >+ > void verify_encoding(file_entry& target) > { > std::string tmp_path; >@@ -184,9 +208,9 @@ namespace > for (entry::list_type::const_iterator i = list->begin(); > i != list->end(); ++i) > { >- if (i->string() != "..") >- target.path /= i->string(); >+ target.path /= i->string(); > } >+ target.path = sanitize_path(target.path); > verify_encoding(target); > if (target.path.is_complete()) throw std::runtime_error("torrent contains " > "a file with an absolute path: '" >@@ -349,23 +373,8 @@ namespace libtorrent > else > { m_name = info["name"].string(); } > >- fs::path tmp = m_name; >- if (tmp.is_complete()) >- { >- m_name = tmp.leaf(); >- } >- else if (tmp.has_branch_path()) >- { >- fs::path p; >- for (fs::path::iterator i = tmp.begin() >- , end(tmp.end()); i != end; ++i) >- { >- if (*i == "." || *i == "..") continue; >- p /= *i; >- } >- m_name = p.string(); >- } >- if (m_name == ".." || m_name == ".") >+ m_name = sanitize_path(m_name).string(); >+ if (!valid_path_element(m_name)) > throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)"); > > // extract file list >-- >1.6.3.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 273156
: 193879 |
195945
|
196070
|
196074