Bug 1429530 (CVE-2017-6503, CVE-2017-6504)

Summary: CVE-2017-6504 CVE-2017-6503 qbittorrent: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dchris, fale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qbittorrent 3.3.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:08:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1429835, 1429836    
Bug Blocks:    

Description Andrej Nemec 2017-03-06 14:30:31 UTC 
Multiple security issues were found in qbittorrent and fixed in the latest version.

CVE-2017-6503 - WebUI in qBittorrent before 3.3.11 did not escape many values, which
could potentially lead to XSS.

Upstream patch:

https://github.com/qbittorrent/qBittorrent/commit/6ca3e4f094da0a0017cb2d483ec1db6176bb0b16

CVE-2017-6504 - WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options
header, which could potentially lead to clickjacking.

Upstream patch:

https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d

References:

https://www.qbittorrent.org/news.php
Comment 1 Salvatore Bonaccorso 2017-03-06 16:54:02 UTC 
Hi Andrej

Above you referenced the smae commit for both CVE-2017-6503 and CVE-2017-6504. I think the one for CVE-2017-6504 is

https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d

can you please update the reference?

Regards,
Salvatore
Comment 2 Andrej Nemec 2017-03-07 09:14:19 UTC 
(In reply to Salvatore Bonaccorso from comment #1)
> Hi Andrej
> 
> Above you referenced the smae commit for both CVE-2017-6503 and
> CVE-2017-6504. I think the one for CVE-2017-6504 is
> 
> https://github.com/qbittorrent/qBittorrent/commit/
> f5ad04766f4abaa78374ff03704316f8ce04627d
> 
> can you please update the reference?
> 
> Regards,
> Salvatore

Hi Salvatore,

Thanks for catching this! I indeed made a mistake and linked to the same patch twice. Fixed now.
Comment 3 Andrej Nemec 2017-03-07 09:14:39 UTC 
Created qbittorrent tracking bugs for this issue:

Affects: epel-7 [bug 1429835]
Affects: fedora-all [bug 1429836]
Comment 4 Product Security DevOps Team 2019-06-08 03:08:31 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.