** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters.
0.14 fix: http://code.rasterbar.com/libtorrent/changeset/3580 0.13.2 also contains the fix: http://code.rasterbar.com/libtorrent/changeset/3621
Created attachment 193879 [details, diff] rb_libtorrent-0.13-CVE-2009-1760.patch backport CVE-2009-1760 fix from r3621
I would consider this upstream, however we'd like to confirm this with upstream. In the meantime, if you like to test the patch (and maybe fix some of the other open bugs? :-) please do so. Also, deluge ships a copy of rb_libtorrent.
(In reply to comment #3) > I would consider this upstream s/upstream/public/
*** Bug 273916 has been marked as a duplicate of this bug. ***
(In reply to comment #2) > Created an attachment (id=193879) [edit] > rb_libtorrent-0.13-CVE-2009-1760.patch > > backport CVE-2009-1760 fix from r3621 > This has now been applied to 0.13-r1. Arches, please proceed with stabilizing this revision.
Created attachment 195945 [details] net-libs:rb_libtorrent-0.13-r1:20090628-101729.log fails testsuite on amd64/x86 (-r0 passed w/o problems): 89kB/s 0: 70kB/s 34kB/s 100% 1 - 79kB/s 26kB/s 100% 1 89555.4 average rate: 89.5554kB/s - 93.7119kB/s test_swarm.cpp:112"TEST_CHECK failed: "std::fabs(average2 - float(rate_limit)) < rate_limit / 11.f"" done files deleted make: *** [check] Error 1 * * ERROR: net-libs/rb_libtorrent-0.13-r1 failed. * Call stack: * ebuild.sh, line 49: Called src_test * environment, line 2587: Called _eapi0_src_test * ebuild.sh, line 607: Called die * The specific snippet of code: * hasq test $FEATURES && die "Make check failed. See above for details." * The die message: * Make check failed. See above for details. net-libs/rb_libtorrent-0.13-r1 [0.13] USE="-debug -doc" Portage 2.1.6.13 (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.29.5 x86_64) ================================================================= System uname: Linux-2.6.29.5-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T8300_@_2.40GHz-with-glibc2.2.5 Timestamp of tree: Sun, 28 Jun 2009 08:00:18 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.7 dev-lang/python: 2.4.6, 2.5.4-r2 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks fixpackages multilib-strict parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="en en_GB de" MAKEOPTS="-j2" PKGDIR="/mnt/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 avahi berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl sse sse2 ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB de" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I tested it with qbittorrent-1.0.0 which works without a problem. So unless someone comes up with a fix for the CVE patch that does not break the tests, we would like to go forward with RESTRICT=test (as much as we don't like the regression). Bumping to a later version is no option, as that breaks the applications that need this lib, some of which are stable on some arches. (I am working on unmasking 0.14.4 and qbittorent-1.3.3, but that would also need version bumps of btg and lince (bug 275650), while hrktorrent probably doesnt work with this and has no newer version available.)
Created attachment 196070 [details, diff] test_fix.patch Sorry, I dropped the test hunks from the backport since they seemed unrelated. This hunk fixes the test, please add to the CVE patch and renable tests.
Created attachment 196074 [details, diff] test_fix.patch
Thanks! That patch fixes it. Tests pass now here. As the actual CVE patch was already in this revision, and only the tests failed before, I have not revbumped the ebuild. So Markus/arches please test and proceed with marking 0.13-r1 stable. Thanks!
amd64/x86 stable, all arches done.
Read to vote, I vote YES.
YES, filed.
The affected(In reply to comment #0) > libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames > in a .torrent file, allowing it to overwrite files outside the chosen download > location via "../" characters. There is no <net-libs/rb_libtorrent-0.14.9-r1 in portage any more.
This was published as glsa-200907-14: http://www.gentoo.org/security/en/glsa/glsa-200907-14.xml