Bug 269605 (CVE-2009-1757)

Summary:	<net-p2p/transmission-1.61 potential CSRF security hole for Web Client users (CVE-2009-1757)
Product:	Gentoo Security	Reporter:	Samuli Suominen (RETIRED) <ssuominen>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.transmissionbt.com/
Whiteboard:	C3 [noglsa]
Package list:		Runtime testing required:	---

Description Samuli Suominen (RETIRED) gentoo-dev

2009-05-12 18:11:47 UTC

Transmission 1.61 Released!

All Platforms

    * Close potential CSRF security hole for Web Client users

Transmission 1.53 Released!
All Platforms

    * Close potential CSRF security hole for Web Client users

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2009-05-12 18:56:59 UTC

+*transmission-1.61 (12 May 2009)
+
+  12 May 2009; Samuli Suominen <ssuominen@gentoo.org>
+  +transmission-1.61.ebuild:
+  Version bump wrt security #269605.

Please test and mark stable.

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2009-05-13 10:03:43 UTC

I did something wrong: Using Torrent -> New -> Entering a torrent URI as source -> New leads to a segmentation fault in all transmission versions (no regression, just for your information).  And that's wrong anyway. :)

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2009-05-13 10:09:00 UTC

(In reply to comment #2)
> I did something wrong: Using Torrent -> New -> Entering a torrent URI as source
> -> New leads to a segmentation fault in all transmission versions (no
> regression, just for your information).  And that's wrong anyway. :)
> 

Thanks, I will try to reproduce this and will report it to transmissionbt's trac (which I'm registered in)

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2009-05-13 10:15:27 UTC

x86 stable

Comment 5 Markus Meier gentoo-dev

2009-05-13 18:31:49 UTC

amd64 stable

Comment 6 Joe Jezak (RETIRED) gentoo-dev

2009-05-14 18:40:50 UTC

Marked ppc stable.

Comment 7 Samuli Suominen (RETIRED) gentoo-dev

2009-05-19 09:24:02 UTC

And vuln. versions removed from tree.

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2009-05-22 17:39:31 UTC

Ready for vote, I vote YES.

Comment 9 Alex Legler (RETIRED) archtester

2009-05-24 17:05:16 UTC

CVE-2009-1757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1757):
  Cross-site request forgery (CSRF) vulnerability in Transmission 1.5
  before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the
  authentication of unspecified victims via unknown vectors.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2009-05-25 19:36:28 UTC

I vote NO. CSRF in a client application that comes with a web interface? ...

Comment 11 Samuli Suominen (RETIRED) gentoo-dev

2009-05-29 07:24:32 UTC

(In reply to comment #10)
> I vote NO. CSRF in a client application that comes with a web interface? ...
> 

Yes, it is.

Comment 12 Stefan Behte (RETIRED) gentoo-dev

2009-06-12 22:21:36 UTC

No, too. Reopen, if you feel to.