516822 – <net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)

Bug 516822 - <net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)

Summary: <net-p2p/transmission-2.84: peer communication vulnerability (CVE-2014-4909)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-07-10 05:00 UTC by Samuli Suominen (RETIRED)
Modified:	2015-01-11 00:12 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Samuli Suominen (RETIRED) gentoo-dev

2014-07-10 05:00:41 UTC

2.84 is same as 2.83 but with security bug fixed:

http://trac.transmissionbt.com/wiki/Changes#version-2.84

Transmission 2.84 (2014/07/01)

Fix peer communication vulnerability (no known exploits) reported by Ben Hawkes

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2014-07-10 05:02:37 UTC

Please test and stabilize:

=net-p2p/transmission-2.84

Comment 2 Yury German Gentoo Infrastructure

2014-07-10 06:05:01 UTC

Tried to find the vulnerability. This looks like it:

 proof-of-concept for tr_bitfieldEnsureNthBitAlloced overflow:

     tr_bitfieldEnsureBitsAlloced (b, nth + 1);
     ...
     b->bits[nth >> 3u] |= (0x80 >> (nth & 7u));

   results in a 1-bit out-of-bound write at constant address 0x1fffffff
   
   affects 32-bit systems only due to int index being cast to size_t nth

   its also possible to trigger the write relative to an allocated chunk
   by sending a valid response to the first piece request and triggering
   the bug on the second piece request (such that b->bits is allocated)

   submission acts as a seeding peer for the provided torrent file

   by default, transmission clients will use uTP and encryption, which
   submission doesn't support. tested using the following client:

     transmission-2.83/daemon/transmission-daemon -et --no-utp -f -c .

   thanks!

   - hawkes (hawkes@inertiawar.com)

Comment 3 Yury German Gentoo Infrastructure

2014-07-10 06:08:32 UTC

Arches, please test and mark stable:

=net-p2p/transmission-2.84

Target Keywords : "amd64 ppc ppc64 x86"

Thank you!

Comment 4 Agostino Sarubbo gentoo-dev

2014-07-12 10:55:20 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-07-12 10:55:40 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-08-08 21:35:57 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2014-08-09 10:49:12 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 8 Samuli Suominen (RETIRED) gentoo-dev

2014-08-10 05:17:21 UTC

cleanup done

Comment 9 Yury German Gentoo Infrastructure

2014-08-17 05:50:22 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-25 20:16:17 UTC

GLSA vote: No

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2015-01-11 00:12:23 UTC

CVE-2014-4909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4909):
  Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in
  bitfield.c in Transmission before 2.84 allows remote attackers to cause a
  denial of service and possibly execute arbitrary code via a crafted peer
  message, which triggers an out-of-bounds write.