Bug 505523 (CVE-2009-1760)

Summary: CVE-2009-1760 rb_libtorrent: arbitrary file overwrite vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: peter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1760
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:16:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-06-12 08:43:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1760 to the following vulnerability:

Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar
libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge
Torrent, and other applications, allows remote attackers to create or
overwrite arbitrary files via a .. (dot dot) and partial relative
pathname in a Multiple File Mode list element in a .torrent file.

References:
http://www.securityfocus.com/archive/1/archive/1/504151/100/0/threaded
http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/

Fixed upstream in 0.14.4 and should be in 0.13.2 when released:
http://sourceforge.net/project/shownotes.php?group_id=79942&release_id=686456

Upstream commits:
http://code.rasterbar.com/libtorrent/changeset/3580 (0.14.x and trunk)
http://code.rasterbar.com/libtorrent/changeset/3621 (0.13.x)

0.14.4 is already in Rawhide/F12, so F9-F11.
Comment 1 Fedora Update System 2009-06-14 19:05:10 UTC 
rb_libtorrent-0.14.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rb_libtorrent-0.14.3-2.fc11
Comment 2 Fedora Update System 2009-06-14 20:43:42 UTC 
rb_libtorrent-0.13.1-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rb_libtorrent-0.13.1-5.fc10
Comment 3 Fedora Update System 2009-06-15 09:22:59 UTC 
rb_libtorrent-0.12.1-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rb_libtorrent-0.12.1-2.fc9
Comment 4 Fedora Update System 2009-06-18 07:58:31 UTC 
deluge-1.1.9-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/deluge-1.1.9-1.fc10
Comment 5 Tomas Hoger 2009-06-18 08:12:54 UTC 
Peter, can deluge by linked against system rb_libtorrent to avoid the need to update both packages for each bug / issue in rb_libtorrent?
Comment 6 Fedora Update System 2009-06-18 08:41:21 UTC 
deluge-0.5.9.3-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/deluge-0.5.9.3-2.fc9
Comment 7 Peter Gordon 2009-06-18 16:55:27 UTC 
Unfortunately, Deluge requires a lot of fairly recent API in libtorrent, which means it can only build against the system copy if it (rb_libtorrent) is 0.14+. Otherwise, it uses an internal copy which is itself an 0.14.x snapshot. :-/
Comment 8 Fedora Update System 2009-06-27 02:49:58 UTC 
rb_libtorrent-0.13.1-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-06-27 02:51:02 UTC 
deluge-1.1.9-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-06-27 02:51:12 UTC 
rb_libtorrent-0.12.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2009-06-27 02:51:49 UTC 
rb_libtorrent-0.14.3-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-06-27 02:57:37 UTC 
deluge-0.5.9.3-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.