Bug 1343364 (CVE-2016-5301) - CVE-2016-5301 libtorrent: Crash while parsing invalid chunked HTTP or UPnP response
Summary: CVE-2016-5301 libtorrent: Crash while parsing invalid chunked HTTP or UPnP re...
Alias: CVE-2016-5301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20160604,repor...
Keywords: Security
Depends On: 1343365 1343366
TreeView+ depends on / blocked
Reported: 2016-06-07 08:31 UTC by Andrej Nemec
Modified: 2019-06-08 21:14 UTC (History)
6 users (show)

Clone Of:
Last Closed: 2016-08-10 20:43:48 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2016-06-07 08:31:01 UTC
A vulnerability was found in libtorrent. A specially crafted HTTP response from a tracker (or potentially a UPnP broadcast) can crash libtorrent in the parse_chunk_header() function.

Upstream bug:


Upstream fix:


Comment 1 Andrej Nemec 2016-06-07 08:31:44 UTC
Created libtorrent tracking bugs for this issue:

Affects: fedora-all [bug 1343365]
Affects: epel-all [bug 1343366]

Comment 2 Denis Fateyev 2016-08-10 20:43:48 UTC
This bug relates to a different project [1,2] which is also known as "Rasterbar Libtorrent". That project has nothing to do with Libtorrent by Rakshasa [3] which is provided by "libtorrent" package. The projects name similarity can be confusing indeed.

[1] https://github.com/arvidn/libtorrent

[2] http://libtorrent.org/

[3] https://github.com/rakshasa/libtorrent/

Note You need to log in before you can comment on or make changes to this bug.