Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 170303 - net-p2p/ktorrent <2.1.3 : unspecified + directory traversal (CVE-2007-{138{4|5}|1799})
Summary: net-p2p/ktorrent <2.1.3 : unspecified + directory traversal (CVE-2007-{138{4|...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] Falco
: 170047 170727 (view as bug list)
Depends on:
Reported: 2007-03-10 18:43 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2007-05-02 03:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2007-03-10 18:43:51 UTC
"This fixes 2 security vulnerabilities in KTorrent. It would be advisable to upgrade to this release."

See also

19:03 Thursday	KDE	
Commit by guisson :: r640661 ktorrent/trunk/extragear/network/ktorrent/ (4 files in 2 dirs):
Fix 2 security vulnerabilities, both were discovered by Bryan Burns of Juniper Networks
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-12 15:22:23 UTC
thanks for your report.

Adding maintainer for when he is back.
Comment 2 Marijn Schouten (RETIRED) gentoo-dev 2007-03-13 13:32:29 UTC
*** Bug 170047 has been marked as a duplicate of this bug. ***
Comment 3 Marijn Schouten (RETIRED) gentoo-dev 2007-03-13 13:33:52 UTC

*** This bug has been marked as a duplicate of bug 170727 ***
Comment 4 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-03-13 13:49:03 UTC
I think that this one should be kept open.
Comment 5 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-03-13 13:50:13 UTC
I'll try to do it tonight, but no promises... I still have to configure my wireless network here in Barcelona, Spain.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2007-03-13 14:20:40 UTC
*** Bug 170727 has been marked as a duplicate of this bug. ***
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 12:53:57 UTC
Unlike some other distros, we don't mark all security bugs as critical :) tells that this kind of vulnerabilities should be rated "minor". A "critical" bug must be solved within 3 days only! :)

Comment 8 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-03-14 20:43:39 UTC
Ebuild in CVS. Arches please stabilize asap.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-14 22:42:26 UTC
x86 stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-03-15 17:01:56 UTC
ppc64 stable
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-16 16:49:27 UTC
sparc stable.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-20 20:23:40 UTC
ppc stable
Comment 13 Chris Gianelloni (RETIRED) gentoo-dev 2007-03-21 18:38:17 UTC
amd64 done
Comment 14 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-03-21 21:43:14 UTC
I think all arches have marked it stable. What's the next step?
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-22 17:28:57 UTC
This one is ready for GLSA vote.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 07:11:50 UTC
Upstream didn't even bother to mention it in ChangeLogs.

According to the Ubuntu advisory this could lead to the remote execution of arbitrary code or did they fix another problem?
Comment 17 Matt Drew (RETIRED) gentoo-dev 2007-03-25 10:54:22 UTC
In the patch I see two things - one is protecting a counter in ChunkCounter.cpp from going beyond another size value. The other actually has a comment that indicates the change was to protect against directory traversal.  I vote yes for GLSA based on Kees' advisory. 
Comment 18 Matt Drew (RETIRED) gentoo-dev 2007-03-26 12:42:34 UTC
The directory traversal fix is incomplete. Cases such as '../' being inserted into a bnode string in the path sequence will pass the filter they put in place (which only checks if each string node is == "..").  I've verified this against 2.1.2 in the tree.  Deathwing00 can you contact upstream and see if we can get a better fix?  

There's a pretty large number of cases that need to be checked - my suggestion would be a "whitelist" of allowed characters in the strings that specify paths.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-26 13:44:14 UTC
Thx Matt. Resetting to upstream status until we have a better fix.
Comment 20 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-03-30 17:27:04 UTC
Comment 21 Ioannis Aslanidis (RETIRED) gentoo-dev 2007-04-02 18:37:50 UTC
Version 2.1.3 in CVS.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-02 19:22:50 UTC
Arches please test and mark stable. Target keywords are:

ktorrent-2.1.3.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-02 19:27:49 UTC
Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.2 allows remote attackers to overwrite arbitrary files via ".." sequences in a torrent filename.

chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value.
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2007-04-02 22:25:21 UTC
x86 stable
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-03 05:25:57 UTC
Name: CVE-2007-1799

Directory traversal vulnerability in torrent.cpp in KTorrent before
2.1.3 only checks for the ".." string, which allows remote attackers
to overwrite arbitrary files via modified ".." sequences in a torrent
filename, as demonstrated by "../" sequences, due to an incomplete fix
for CVE-2007-1384.
Comment 26 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-03 21:35:31 UTC
sparc stable.
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-04 18:29:49 UTC
Once again: ppc stable
Comment 28 Markus Rothe (RETIRED) gentoo-dev 2007-04-04 19:59:57 UTC
ppc64 stable
Comment 29 Marcus D. Hanwell (RETIRED) gentoo-dev 2007-04-09 19:27:26 UTC
Stable on amd64.
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-18 05:47:15 UTC
This one is ready for GLSA decision. I vote NO.
Comment 31 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-18 07:15:11 UTC
voting NO.
Comment 32 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-23 19:49:55 UTC
i vote yes because i think it's easy to trick a user into browsing his own malicious torrent.
Comment 33 Matt Drew (RETIRED) gentoo-dev 2007-04-24 19:40:37 UTC
I also vote yes - too easy to get a malicious torrent where someone could download it, and it basically gives an attacker write access to any of the user's files.
Comment 34 Matt Drew (RETIRED) gentoo-dev 2007-04-24 19:41:35 UTC
changing status and submitting GLSA request.
Comment 35 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-02 03:03:27 UTC
GLSA 200705-01, thanks everybody