|Summary:||CVE-2010-0748 CVE-2010-0749 Transmission: Two security fixes in upstream v1.92 version|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||bressers, denis, metherid, sundaram|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-03-22 19:27:08 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Jan Lieskovsky 2010-03-17 18:09:10 UTC
Transmission upstream has recently released latest, v.1.92 version:  http://trac.transmissionbt.com/wiki/Changes addressing two security issues: A, Fix potential buffer overflow when adding maliciously-crafted magnet links References:  http://trac.transmissionbt.com/ticket/2965  http://trac.transmissionbt.com/wiki/Changes  http://bugs.gentoo.org/show_bug.cgi?id=309831 Upstream patch:  http://trac.transmissionbt.com/changeset/10279 B, Fix possible data corruption issue caused by data sent by bad peers during endgame References:  http://trac.transmissionbt.com/ticket/1242  http://trac.transmissionbt.com/ticket/1242#comment:1  http://trac.transmissionbt.com/wiki/Changes Upstream patch:  http://trac.transmissionbt.com/changeset/10325 CVE Request:  http://www.openwall.com/lists/oss-security/2010/03/17/12
Comment 1 Jan Lieskovsky 2010-03-17 18:15:58 UTC
These issues does NOT affect the current versions of the transmission package, as shipped with Fedora release of 11 and 12 (both issues has been already addressed within transmission-1.92-1.fc12 and transmission-1.92-1.fc11 version). Issue A, does NOT affect the version of the transmission package, as shipped within EPEL5 repository (transmission-1.34 does NOT provide magnet links functionality / support yet). Issue B, affects the version of the transmission package, as shipped within EPEL5 repository (transmission-1.34-1.el5). Though not complete sure this is a security issue (see  for further details), filed this BZ just not to omit potential security flaw. Please fix.
Comment 2 Rahul Sundaram 2010-03-18 14:04:48 UTC
I don't maintain the EPEL branches. I am not sure anybody is. Fedora branches have already been updated. Should I close this?
Comment 3 Josh Bressers 2010-03-22 19:27:08 UTC
I'm closing this, the EPEL branch doesn't seem to be well maintained, we don't plan on chasing it.
Comment 4 Jan Lieskovsky 2010-04-02 10:17:53 UTC
The CVE identifier of CVE-2010-0748 has been assigned for:  http://trac.transmissionbt.com/ticket/2965 Transmission issue. The CVE identifier of CVE-2010-0749 has been assigned for:  http://trac.transmissionbt.com/ticket/1242  http://trac.transmissionbt.com/ticket/1242#comment:1 Transmission issue.