Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273961 - <net-p2p/deluge-1.1.9 libtorrent Directory traversal (CVE-2009-1760)
Summary: <net-p2p/deluge-1.1.9 libtorrent Directory traversal (CVE-2009-1760)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: CVE-2009-1760
  Show dependency tree
Reported: 2009-06-13 08:44 UTC by Robert Buchholz (RETIRED)
Modified: 2011-01-10 18:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-13 08:44:17 UTC
+++ This bug was initially created as a clone of Bug #273156 +++

libtorrent (rasterbar) before 0.14.4 does not sufficiently verify the filenames in a .torrent file, allowing it to overwrite files outside the chosen download location via "../" characters.

Deluge ships a copy of rb_libtorrent.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:58:31 UTC
upstream: 1.1.9 has been released to address this.

*deluge-1.1.9 (16 Jun 2009)

  16 Jun 2009; Raúl Porcel <> +deluge-1.1.9.ebuild,
  Version bump, add missing dep wrt #273444
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:59:10 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-14 20:20:53 UTC
x86 stable
Comment 4 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2009-07-16 18:29:45 UTC
amd64 stable.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 20:16:26 UTC
glsa: YES
Comment 6 Jaak Ristioja 2010-07-23 08:59:20 UTC
There is no <net-p2p/deluge-1.1.9 in portage any more.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-01-10 18:36:09 UTC
This was published as glsa-200907-14: