Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1760 to the following vulnerability: Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge Torrent, and other applications, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) and partial relative pathname in a Multiple File Mode list element in a .torrent file. References: http://www.securityfocus.com/archive/1/archive/1/504151/100/0/threaded http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/ Fixed upstream in 0.14.4 and should be in 0.13.2 when released: http://sourceforge.net/project/shownotes.php?group_id=79942&release_id=686456 Upstream commits: http://code.rasterbar.com/libtorrent/changeset/3580 (0.14.x and trunk) http://code.rasterbar.com/libtorrent/changeset/3621 (0.13.x) 0.14.4 is already in Rawhide/F12, so F9-F11.
rb_libtorrent-0.14.3-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/rb_libtorrent-0.14.3-2.fc11
rb_libtorrent-0.13.1-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rb_libtorrent-0.13.1-5.fc10
rb_libtorrent-0.12.1-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/rb_libtorrent-0.12.1-2.fc9
deluge-1.1.9-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/deluge-1.1.9-1.fc10
Peter, can deluge by linked against system rb_libtorrent to avoid the need to update both packages for each bug / issue in rb_libtorrent?
deluge-0.5.9.3-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/deluge-0.5.9.3-2.fc9
Unfortunately, Deluge requires a lot of fairly recent API in libtorrent, which means it can only build against the system copy if it (rb_libtorrent) is 0.14+. Otherwise, it uses an internal copy which is itself an 0.14.x snapshot. :-/
rb_libtorrent-0.13.1-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
deluge-1.1.9-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
rb_libtorrent-0.12.1-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rb_libtorrent-0.14.3-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
deluge-0.5.9.3-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.