644406 – (CVE-2018-5702) <net-p2p/transmission-2.93: Remote code execution (RCE) in rpc session-id via dns rebinding attack (CVE-2018-5702)

Bug 644406 (CVE-2018-5702) - <net-p2p/transmission-2.93: Remote code execution (RCE) in rpc session-id via dns rebinding attack (CVE-2018-5702)

Summary: <net-p2p/transmission-2.93: Remote code execution (RCE) in rpc session-id via...

Status:	RESOLVED FIXED

Alias:	CVE-2018-5702

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B1 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-01-13 00:21 UTC by Hanno Böck
Modified:	2018-06-20 02:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	net-p2p/transmission-2.93
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2018-01-13 00:21:47 UTC

See
https://github.com/transmission/transmission/pull/468
http://www.openwall.com/lists/oss-security/2018/01/11/1

Transmission uses a local RPC interface that can be used for attacks. Patch available in the pull request.

Comment 1 Larry the Git Cow gentoo-dev

2018-01-13 22:00:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c26accdac5c7872b9215fc3a99adcc57a71eebf

commit 1c26accdac5c7872b9215fc3a99adcc57a71eebf
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2018-01-13 21:54:39 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2018-01-13 22:00:20 +0000

    net-p2p/transmission: backport rpc host check
    
    Bug: https://bugs.gentoo.org/644406
    Package-Manager: Portage-2.3.19_p11, Repoman-2.3.6_p45

 .../files/transmission-2.92-pr468.patch            | 302 +++++++++++++++++++++
 net-p2p/transmission/transmission-2.92-r3.ebuild   | 165 +++++++++++
 2 files changed, 467 insertions(+)}

Comment 2 Mike Gilbert gentoo-dev

2018-01-13 22:02:01 UTC

Ok to stabilize.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-21 23:37:09 UTC

@ Maintainer(s): Should we go with =net-p2p/transmission-2.92-r3 or can we pick =net-p2p/transmission-2.93?

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-11 02:18:37 UTC

x86 stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2018-03-11 10:00:38 UTC

amd64 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-20 08:00:41 UTC

ppc stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-28 23:19:56 UTC

ppc64 stable

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2018-06-11 15:35:10 UTC

@maintainer, please drop vulnerable

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2018-06-20 00:29:09 UTC

This issue was resolved and addressed in
 GLSA 201806-07 at https://security.gentoo.org/glsa/201806-07
by GLSA coordinator Aaron Bauman (b-man).