+++ This bug was initially created as a clone of Bug #273156 +++
libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters.
Deluge ships a copy of rb_libtorrent.
upstream: 1.1.9 has been released to address this.
*deluge-1.1.9 (16 Jun 2009)
16 Jun 2009; Raúl Porcel <email@example.com> +deluge-1.1.9.ebuild,
Version bump, add missing dep wrt #273444
Arches, please test and mark stable:
Target keywords : "amd64 x86"
There is no <net-p2p/deluge-1.1.9 in portage any more.
This was published as glsa-200907-14: