Description: "Use-after-free in libtransmission/variant.c in Transmission before 3.00 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted torrent file." Patch: https://github.com/transmission/transmission/commit/2123adf8e5e1c2b48791f9d22fc8c747e974180e Disclosure: https://tomrichards.net/2020/05/cve-2018-10756-transmission/
@maintainer(s), please bump to 3.00.
*** Bug 718328 has been marked as a duplicate of this bug. ***
Version 3.00 was tagged by a relatively new developer in the upstream community. I am waiting for upstream to provide an official release tarball, and to update their website.
(In reply to Mike Gilbert from comment #3) > Version 3.00 was tagged by a relatively new developer in the upstream > community. > > I am waiting for upstream to provide an official release tarball, and to > update their website. 3.00 looks out now. You may want to look at bug 607336 while at it, if it still applies.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01a4e92dc9136172e3ef15378790bb12cd617cb1 commit 01a4e92dc9136172e3ef15378790bb12cd617cb1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-05-23 14:09:29 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-05-23 14:14:50 +0000 net-p2p/transmission: bump to 3.00 Closes: https://bugs.gentoo.org/607336 Bug: https://bugs.gentoo.org/723258 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-p2p/transmission/Manifest | 1 + net-p2p/transmission/transmission-3.00.ebuild | 142 ++++++++++++++++++++++++++ net-p2p/transmission/transmission-9999.ebuild | 10 +- 3 files changed, 144 insertions(+), 9 deletions(-)
Let's give this version a week in ~arch before stabilizing.
(In reply to Mike Gilbert from comment #6) > Let's give this version a week in ~arch before stabilizing. I was going to suggest the same thing. Quite a churn. Cheers!
Unable to check for sanity: > no match for package: net-p2p/transmission-3.00
(In reply to Mike Gilbert from comment #6) > Let's give this version a week in ~arch before stabilizing. How're we looking?
Acked on IRC.
ppc stable
ppc64 stable
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
ping, please cleanup
This issue was resolved and addressed in GLSA 202007-07 at https://security.gentoo.org/glsa/202007-07 by GLSA coordinator Sam James (sam_c).