KTorrent 3.1.4 was released fixing multiple security issues in the ktorrent's web interface. Quoting Secunia: Some vulnerabilities have been discovered in KTorrent, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions. 1) The web interface plugin does not properly restrict access to the torrent upload functionality. This can be exploited to upload arbitrary torrent files by sending specially crafted HTTP POST request to the affected application. 2) The web interface plugin does not properly sanitise request parameters before passing them to the PHP interpreter. This can be exploited to inject and execute arbitrary PHP code by passing specially crafted parameters to the PHP scripts of the web interface. Successful exploitation of the vulnerabilities requires that the web interface plugin is enabled (not the default setting). Gentoo bug report (see below) confirms that both issues also affect ktorrent 2.x and has patch backports to 2.2.7 attached. References: http://ktorrent.org/?q=node/23 http://secunia.com/advisories/32442/ http://bugs.gentoo.org/show_bug.cgi?id=244741
F9 already fixed via: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9167 F8 can possibly be addressed using rbu's patch backports.
pinged upstream about kde3's ktorrent-2.2.x (used in F-8): http://ktorrent.org/forum/viewtopic.php?p=14574 In the meantime, will look over gentoo's patches.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5905 to the following vulnerability: The web interface plugin in KTorrent before 3.1.4 allows remote attackers to bypass intended access restrictions and upload arbitrary torrent files, and trigger the start of downloads and seeding, via a crafted HTTP POST request. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5905 http://openwall.com/lists/oss-security/2009/01/08/1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504178 http://ktorrent.org/?q=node/23 https://bugs.gentoo.org/show_bug.cgi?id=244741 http://secunia.com/advisories/32442 http://secunia.com/advisories/32447 Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5906 to the following vulnerability: Eval injection vulnerability in the web interface plugin in KTorrent before 3.1.4 allows remote attackers to execute arbitrary PHP code via unspecified parameters to this interface's PHP scripts. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5906 http://openwall.com/lists/oss-security/2009/01/08/1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504178 http://ktorrent.org/?q=node/23 https://bugs.gentoo.org/show_bug.cgi?id=244741 http://secunia.com/advisories/32442 http://secunia.com/advisories/32447
All currently supported Fedora releases ship Ktorrent 3.1.5 - so I think we can close this bug. Other opinions?
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9167
ktorrent-2.2.8-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.