Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612144 (CVE-2017-7178)

Summary: <net-p2p/deluge-1.3.14: RCE via CSRF in web UI (CVE-2017-7178)
Product: Gentoo Security Reporter: Diogo Pereira <sir.suriv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: k_f, paolo.pedroni, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2017/Mar/6
Whiteboard: C1 [glsa cve]
Package list:
net-p2p/deluge-1.3.14 amd64 x86
Runtime testing required: ---

Description Diogo Pereira 2017-03-09 18:13:53 UTC
Deluge 1.3.14
March 6, 2017

Another unexpected bug fix release for 1.3 series.

WebUI users: Highly recommended to upgrade to this release as it contains a fix for CSRF vulnerability that has the real potential to compromise your machine.
Comment 1 Coacher 2017-03-10 01:18:19 UTC
CC'ing security as per:
"WebUI users: Highly recommended to upgrade to this release as it contains a fix for CSRF vulnerability that has the real potential to compromise your machine."
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-10 11:40:41 UTC
C instead of B due to the need of "webinterface" USE flag which isn't set by default.

@ Maintainer(s): Please bump to >=net-p2p/deluge-1.3.14 and tell us if the new ebuild is already for for stabilization.
Comment 3 Paolo Pedroni 2017-03-10 11:42:37 UTC
Working on it at this time.
Comment 4 Paolo Pedroni 2017-03-14 12:01:51 UTC
Renaming current ebuild seems to work fine. As for quick stabilization the changelog is quite short, so for me it would be fine, but I defer to my proxy mantainer, Kristian Fiskerstrand, for this decision.

I'll make patches for the gentoo tree as soon as he decides.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-03-14 12:42:11 UTC
(In reply to Paolo Pedroni from comment #4)
> Renaming current ebuild seems to work fine.

Confirmed, installed updated version on my own system without other modification. See bump info below

> As for quick stabilization the
> changelog is quite short, so for me it would be fine, but I defer to my
> proxy mantainer, Kristian Fiskerstrand, for this decision.

Quick stabilization for security vuln fixing is OK in that case.
> 
> I'll make patches for the gentoo tree as soon as he decides.

commit 36fa021d53729b7a9f6883729d5255e71f092544
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Mar 14 13:37:55 2017 +0100

    net-p2p/deluge: Version bump to 1.3.14
    
    Straight version bump for security vulns
    
    Proxied-Maintainer: Paolo Pedroni
    Gentoo-Bug: 612144
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-14 14:29:13 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-03-17 10:28:18 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-18 12:55:18 UTC
New GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 13:17:50 UTC
CVE-2017-7178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7178):
  CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation
  methodology involves (1) hosting a crafted plugin that executes an arbitrary
  program from its __init__.py file and (2) causing the victim to download,
  install, and enable this plugin.
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-03-21 19:22:41 UTC
commit d78e7d6198a91cfe59b41d7aca6f673db321957d
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Mar 21 20:19:23 2017 +0100

    net-p2p/deluge: Cleanup old versions
    
    Gentoo-Bug: 612144
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-03-28 03:13:34 UTC
This issue was resolved and addressed in
 GLSA 201703-06 at https://security.gentoo.org/glsa/201703-06
by GLSA coordinator Yury German (BlueKnight).