Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 273961

Summary: <net-p2p/deluge-1.1.9 libtorrent Directory traversal (CVE-2009-1760)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jaak, net-p2p
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://dev.deluge-torrent.org/ticket/961
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 273156    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-13 08:44:17 UTC 
+++ This bug was initially created as a clone of Bug #273156 +++

libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters.

Deluge ships a copy of rb_libtorrent.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:58:31 UTC 
upstream: 1.1.9 has been released to address this.

*deluge-1.1.9 (16 Jun 2009)

  16 Jun 2009; Raúl Porcel <armin76@gentoo.org> +deluge-1.1.9.ebuild,
  deluge-9999.ebuild:
  Version bump, add missing dep wrt #273444
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:59:10 UTC 
Arches, please test and mark stable:
=net-p2p/deluge-1.1.9
Target keywords : "amd64 x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-14 20:20:53 UTC 
x86 stable
Comment 4 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-07-16 18:29:45 UTC 
amd64 stable.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 20:16:26 UTC 
glsa: YES
Comment 6 Jaak Ristioja 2010-07-23 08:59:20 UTC 
There is no <net-p2p/deluge-1.1.9 in portage any more.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-01-10 18:36:09 UTC 
This was published as glsa-200907-14:
http://www.gentoo.org/security/en/glsa/glsa-200907-14.xml