Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618872 (CVE-2017-9031) - <net-p2p/deluge-1.3.15: Directory Transverse Vulnerability
Summary: <net-p2p/deluge-1.3.15: Directory Transverse Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-9031
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://dev.deluge-torrent.org/wiki/Re...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 619812
  Show dependency tree
 
Reported: 2017-05-18 20:43 UTC by Francis Booth
Modified: 2017-06-13 08:47 UTC (History)
2 users (show)

See Also:
Package list:
net-p2p/deluge-1.3.15
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-05-18 20:43:57 UTC
--- from url --- 

A bug fix release that resolves a few issues introduced in 1.3.14 along with other minor fixes.

*snip*

Deluge WebUI:

Highly recommended to upgrade to this release as it contains a directory traversal security fix that once again has the real potential to compromise your machine.

*snip*

Git Entry

> [WebUI] Check render template files exist and raise 404 if not
> - Check render/* requests match to .html files in the 'render' dir
> - Protects against directory (path) traversal



~ eleix (Security Padawan)



Reproducible: Didn't try
Comment 1 Paolo Pedroni 2017-05-26 10:17:47 UTC
I've been a bit busy at work this past week. I'll take a look at this starting from next tuesday. Sorry...
Comment 2 Paolo Pedroni 2017-05-30 09:49:11 UTC
I've taken a look at it, and renaming the current ebuild should be enough. The changelog is very short, and as far as I'm concerned the new version can go straight to stable.

If my proxy-mantainer can take care of this, I think we're set.
Comment 3 Paolo Pedroni 2017-05-30 10:28:46 UTC
Please consider bug #619812, and apply the ebuild patch there, as well.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-06 18:27:06 UTC
commit 41ab815fe8887c360dd98fd3d8dec9cbf0ddb11d (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Jun 6 20:24:10 2017 +0200

    net-p2p/deluge: New version 1.3.15
    
    Proxied commit
    Thanks-To: Paolo Pedroni
    
    Gentoo-Bug: 619812
    Gentoo-Bug: 618872
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.1
Comment 5 Paolo Pedroni 2017-06-08 10:15:42 UTC
(In reply to Kristian Fiskerstrand from comment #4)
> commit 41ab815fe8887c360dd98fd3d8dec9cbf0ddb11d (HEAD -> master,
> origin/master, origin/HEAD)
> Author: Kristian Fiskerstrand <k_f@gentoo.org>
> Date:   Tue Jun 6 20:24:10 2017 +0200
> 
>     net-p2p/deluge: New version 1.3.15
>     
>     Proxied commit
>     Thanks-To: Paolo Pedroni
>     
>     Gentoo-Bug: 619812
>     Gentoo-Bug: 618872
>     
>     Package-Manager: Portage-2.3.5, Repoman-2.3.1

Thanks. Not straight to stable, tough. Do you prefer to wait for the usual month, before stabilizing it or can we shorten the timeframe a bit, as it's a security bug fix?

The changelog is really short:
- Core
Fix issues with displaying libtorrent single proxy.
Fix libtorrent 1.2 trackers crashing Deluge UIs.
Fix error in torrent priorities causing file priority mismatch in UIs.

- GtkUI
Configure gtkrc to use consistent button ordering on Windows.
Fix column sort state not saved in Thinclient mode.
Fix connection manager error with malformed ip.
Rename SystemTray/Indicator? 'Pause/Resume? All' to 'Pause/Resume? Session'.
Workaround lt single proxy by greying out unused proxy types.

- WebUI
Security Fix: Check render template files exist otherwise raise 404.

- Notification Plugin
Fix webui passing string for int port value.

- AutoAdd Plugin
Add WebUI preferences page detailing lack of configuration via WebUI.

- Label Plugin
Add WebUI preferences page detailing how to configure plugin.

I'd feel confident enough in it to bump it straight to stable, but, of course, I defer to your judgement.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-08 12:26:00 UTC
(In reply to Paolo Pedroni from comment #5)
> 
> Thanks. Not straight to stable, tough. Do you prefer to wait for the usual
> month, before stabilizing it or can we shorten the timeframe a bit, as it's
> a security bug fix?

Its security fix, so we can ignore the month delay before calling for stabilization from the arch teams. So as maintainer; please go ahead with the stabilization :)
Comment 7 Thomas Deutschmann gentoo-dev 2017-06-08 15:16:06 UTC
(In reply to Paolo Pedroni from comment #5)
> I'd feel confident enough in it to bump it straight to stable, but, of
> course, I defer to your judgement.

So let's do it:


@ Arches,

please test and mark stable: =net-p2p/deluge-1.3.15
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-09 09:45:10 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-09 10:21:06 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Paolo Pedroni 2017-06-13 06:30:43 UTC
(In reply to Agostino Sarubbo from comment #9)
> x86 stable.
> 
> Maintainer(s), please cleanup.

Please, Kristian, remove the 1.3.14 ebuild. Thanks.
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-13 08:47:10 UTC
commit 581765878084af1a6fabfb7341c7c7c1d4afad30 (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Tue Jun 13 10:45:00 2017 +0200

    net-p2p/deluge: Cleanup of 1.3.14
    
    Security cleanup
    
    Gentoo-Proxied-Maintainer: Paolo Pedroni
    Gentoo-Bug: 618872
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.1
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-13 08:47:35 UTC
GLSA Vote: No