Excerpts from the Full Disclosure ML notification at $URL: Vulnerability Report Author: Justin C. Klein Keane <justin () madirish net> Reported: July 19, 2012 CVE-2012-4037 Description of Vulnerability: - ----------------------------- Transmission (http://www.transmissionbt.com) is a popular, cross platform, open source BitTorrent client. Transmission includes functionality to enable a web based display of the application. Unfortunately this web based client doesn't sanitize text from .torrent files that are loaded into the client resulting in an arbitrary script injection (or cross site scripting (XSS)) vulnerability. Impact - ------ Clients loading a maliciously crafted .torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads). Systems affected: - ----------------- Transmission 2.50 on Fedora 17 was tested and shown to be vulnerable, but Transmission is a cross platform tool so it is possible versions for other operating systems (such as Mac, Windows, and other Linux) are vulnerable as well. Mitigating factors: - ------------------- The information displayed via the Transmission web client is loaded via AJAX calls and is entirely event driven. This means malicious scripts must be crafted to exploit the way in which content is dynamically rendered. This presents some barrier, but is easy bypassed by injecting event driven elements in the display. Malicious script elements in the torrent name are easily visible via the desktop client, but malicious elements in the 'created by' or 'comments' elements are more difficult for end users to detect. [...] Vendor Response: - ----------------- Upgrade to Transmission 2.61 or later. [...]
@net-p2p, Peter, Samuli: may we stabilize =net-p2p/transmission-2.61 ?
(In reply to comment #1) > @net-p2p, Peter, Samuli: may we stabilize =net-p2p/transmission-2.61 ? It's not possible because of bug 428272. As in, 2.61 needs x11-libs/gtk+ from ~arch.
(In reply to comment #2) > (In reply to comment #1) > > @net-p2p, Peter, Samuli: may we stabilize =net-p2p/transmission-2.61 ? > > It's not possible because of bug 428272. As in, 2.61 needs x11-libs/gtk+ > from ~arch. Bug 428272 has been resolved. Ok to stabilize? Thanks.
(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > @net-p2p, Peter, Samuli: may we stabilize =net-p2p/transmission-2.61 ? > > > > It's not possible because of bug 428272. As in, 2.61 needs x11-libs/gtk+ > > from ~arch. > > Bug 428272 has been resolved. Ok to stabilize? Thanks. The build failure from bug 428272 was resolved by setting the x11-libs/gtk+ depend to say >= 3.4 since it's using functions that exist only on >= 3.4 And we don't have bug open for >=x11-libs/gtk+-3.4 stabilization this bug could depend on
The required GTK+ is in the list of bug 427544
Thanks, Samuli.
CVE-2012-4037 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4037): Multiple cross-site scripting (XSS) vulnerabilities in the web client in Transmission before 2.61 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) created by, or (3) name field in a torrent file.
*** Bug 436192 has been marked as a duplicate of this bug. ***
arch's are in CC list now in bug 427544, so adding here too
amd64 stable
stable ppc ppc64
x86 stable, last arch!
Thanks, everyone. Closing noglsa for XSS / C4 rating.