Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 273916

Summary: <net-libs/libtorrent-0.14.4 file overwriting/creation via dot-dot in .torrent file (CVE-2009-1760)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: major CC: drizzt, net-p2p
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/project/shownotes.php?group_id=79942&release_id=686456
Whiteboard: B1 [ebuild]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 20:49:12 UTC 
CVE-2009-1760 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1760):
  Directory traversal vulnerability in src/torrent_info.cpp in
  Rasterbar libtorrent before 0.14.4, as used in firetorrent,
  qBittorrent, deluge Torrent, and other applications, allows remote
  attackers to create or overwrite arbitrary files via a .. (dot dot)
  and partial relative pathname in a Multiple File Mode list element in
  a .torrent file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-06-13 08:40:26 UTC 

*** This bug has been marked as a duplicate of bug 273156 ***