|Summary:||<net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)|
|Product:||Gentoo Security||Reporter:||Samuli Suominen (RETIRED) <ssuominen>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Samuli Suominen (RETIRED) 2014-07-10 05:00:41 UTC
Comment 1 Samuli Suominen (RETIRED) 2014-07-10 05:02:37 UTC
Please test and stabilize: =net-p2p/transmission-2.84
Comment 2 Yury German 2014-07-10 06:05:01 UTC
Tried to find the vulnerability. This looks like it: proof-of-concept for tr_bitfieldEnsureNthBitAlloced overflow: tr_bitfieldEnsureBitsAlloced (b, nth + 1); ... b->bits[nth >> 3u] |= (0x80 >> (nth & 7u)); results in a 1-bit out-of-bound write at constant address 0x1fffffff affects 32-bit systems only due to int index being cast to size_t nth its also possible to trigger the write relative to an allocated chunk by sending a valid response to the first piece request and triggering the bug on the second piece request (such that b->bits is allocated) submission acts as a seeding peer for the provided torrent file by default, transmission clients will use uTP and encryption, which submission doesn't support. tested using the following client: transmission-2.83/daemon/transmission-daemon -et --no-utp -f -c . thanks! - hawkes (email@example.com)
Comment 3 Yury German 2014-07-10 06:08:32 UTC
Arches, please test and mark stable: =net-p2p/transmission-2.84 Target Keywords : "amd64 ppc ppc64 x86" Thank you!
Comment 4 Agostino Sarubbo 2014-07-12 10:55:20 UTC
Comment 5 Agostino Sarubbo 2014-07-12 10:55:40 UTC
Comment 6 Agostino Sarubbo 2014-08-08 21:35:57 UTC
Comment 7 Agostino Sarubbo 2014-08-09 10:49:12 UTC
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Comment 8 Samuli Suominen (RETIRED) 2014-08-10 05:17:21 UTC
Comment 9 Yury German 2014-08-17 05:50:22 UTC
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
Comment 10 Kristian Fiskerstrand (RETIRED) 2014-08-25 20:16:17 UTC
GLSA vote: No
Comment 11 GLSAMaker/CVETool Bot 2015-01-11 00:12:23 UTC
CVE-2014-4909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4909): Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bitfield.c in Transmission before 2.84 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted peer message, which triggers an out-of-bounds write.