Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273156 (CVE-2009-1760) - <net-libs/rb_libtorrent-0.13-r1: Directory traversal (CVE-2009-1760)
Summary: <net-libs/rb_libtorrent-0.13-r1: Directory traversal (CVE-2009-1760)
Alias: CVE-2009-1760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 273916 (view as bug list)
Depends on:
Blocks: 273961
  Show dependency tree
Reported: 2009-06-08 09:48 UTC by Robert Buchholz (RETIRED)
Modified: 2011-01-10 18:35 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

rb_libtorrent-0.13-CVE-2009-1760.patch (rb_libtorrent-0.13-CVE-2009-1760.patch,2.38 KB, patch)
2009-06-08 10:53 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
net-libs:rb_libtorrent-0.13-r1:20090628-101729.log (net-libs:rb_libtorrent-0.13-r1:20090628-101729.log,207.96 KB, text/plain)
2009-06-28 11:50 UTC, Markus Meier
no flags Details
test_fix.patch (test_fix.patch,468 bytes, patch)
2009-06-29 13:35 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
test_fix.patch (test_fix.patch,710 bytes, patch)
2009-06-29 13:41 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 09:48:12 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 10:53:06 UTC
0.14 fix:

0.13.2 also contains the fix:
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 10:53:29 UTC
Created attachment 193879 [details, diff]

backport CVE-2009-1760 fix from r3621
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 10:55:13 UTC
I would consider this upstream, however we'd like to confirm this with upstream. In the meantime, if you like to test the patch (and maybe fix some of the other open bugs? :-) please do so.
Also, deluge ships a copy of rb_libtorrent.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-08 10:55:34 UTC
(In reply to comment #3)
> I would consider this upstream

Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-06-13 08:40:26 UTC
*** Bug 273916 has been marked as a duplicate of this bug. ***
Comment 6 Ben de Groot (RETIRED) gentoo-dev 2009-06-28 00:16:27 UTC
(In reply to comment #2)
> Created an attachment (id=193879) [edit]
> rb_libtorrent-0.13-CVE-2009-1760.patch
> backport CVE-2009-1760 fix from r3621

This has now been applied to 0.13-r1. 
Arches, please proceed with stabilizing this revision.
Comment 7 Markus Meier gentoo-dev 2009-06-28 11:50:50 UTC
Created attachment 195945 [details]

fails testsuite on amd64/x86 (-r0 passed w/o problems):

89kB/s 0: 70kB/s 34kB/s 100% 1 - 79kB/s 26kB/s 100% 1
average rate: 89.5554kB/s - 93.7119kB/s
test_swarm.cpp:112"TEST_CHECK failed: "std::fabs(average2 - float(rate_limit)) < rate_limit / 11.f""
files deleted
make: *** [check] Error 1
 * ERROR: net-libs/rb_libtorrent-0.13-r1 failed.
 * Call stack:
 *     , line   49:  Called src_test
 *             environment, line 2587:  Called _eapi0_src_test
 *     , line  607:  Called die
 * The specific snippet of code:
 *                      hasq test $FEATURES && die "Make check failed. See above for details."
 *  The die message:
 *   Make check failed. See above for details.

net-libs/rb_libtorrent-0.13-r1 [0.13] USE="-debug -doc"

Portage (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, x86_64)
System uname: Linux-
Timestamp of tree: Sun, 28 Jun 2009 08:00:18 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.4.6, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
CFLAGS="-O2 -pipe"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
FEATURES="collision-protect distlocks fixpackages multilib-strict parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
LINGUAS="en en_GB de"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl acpi alsa amd64 apache2 avahi berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl sse sse2 ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB de" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Comment 8 Ben de Groot (RETIRED) gentoo-dev 2009-06-29 00:07:14 UTC
I tested it with qbittorrent-1.0.0 which works without a problem. So unless someone comes up with a fix for the CVE patch that does not break the tests, we would like to go forward with RESTRICT=test (as much as we don't like the regression).

Bumping to a later version is no option, as that breaks the applications that need this lib, some of which are stable on some arches.

(I am working on unmasking 0.14.4 and qbittorent-1.3.3, but that would also need version bumps of btg and lince (bug 275650), while hrktorrent probably doesnt work with this and has no newer version available.)
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-06-29 13:35:34 UTC
Created attachment 196070 [details, diff]

Sorry, I dropped the test hunks from the backport since they seemed unrelated. This hunk fixes the test, please add to the CVE patch and renable tests.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-06-29 13:41:40 UTC
Created attachment 196074 [details, diff]
Comment 11 Ben de Groot (RETIRED) gentoo-dev 2009-06-29 19:38:01 UTC
Thanks! That patch fixes it. Tests pass now here. As the actual CVE patch was already in this revision, and only the tests failed before, I have not revbumped the ebuild.

So Markus/arches please test and proceed with marking 0.13-r1 stable. Thanks!
Comment 12 Markus Meier gentoo-dev 2009-06-29 21:26:12 UTC
amd64/x86 stable, all arches done.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-29 21:35:47 UTC
Read to vote, I vote YES.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:55:02 UTC
YES, filed.
Comment 15 Jaak Ristioja 2010-07-23 08:53:36 UTC
The affected(In reply to comment #0)
> libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames
> in a .torrent file, allowing it to overwrite files outside the chosen download
> location via "../" characters.

There is no <net-libs/rb_libtorrent-0.14.9-r1 in portage any more.
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-01-10 18:35:25 UTC
This was published as glsa-200907-14: