Ubuntu
libtorrent-rasterbar package

Directory traversal vulnerability

  1. Jaunty (9.04)
  2. Bug #428183
Bug #428183 reported by Kees Cook
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libtorrent-rasterbar (Ubuntu)
Invalid
Medium
Unassigned
Dapper
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Intrepid
Invalid
Medium
Unassigned
Jaunty
Won't Fix
Medium
Unassigned
Karmic
Invalid
Medium
Unassigned

Bug Description

Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar
libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge
Torrent, and other applications, allows remote attackers to create or
overwrite arbitrary files via a .. (dot dot) and partial relative pathname
in a Multiple File Mode list element in a .torrent file.

CVE References

Kees Cook (kees)
visibility: private → public
Kees Cook (kees)
affects: ubuntu → libtorrent-rasterbar (Ubuntu)
Kees Cook (kees)
Changed in libtorrent-rasterbar (Ubuntu):
importance: Undecided → Medium
Changed in libtorrent-rasterbar (Ubuntu Dapper):
importance: Undecided → Medium
Changed in libtorrent-rasterbar (Ubuntu Hardy):
importance: Undecided → Medium
Changed in libtorrent-rasterbar (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in libtorrent-rasterbar (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in libtorrent-rasterbar (Ubuntu Dapper):
status: New → Invalid
Changed in libtorrent-rasterbar (Ubuntu Hardy):
status: New → Invalid
Changed in libtorrent-rasterbar (Ubuntu Karmic):
status: New → Invalid
Revision history for this message
Kees Cook (kees) wrote :

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1760
http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

For Intrepid, we can probably pull this from Lenny:

 libtorrent-rasterbar (0.13.1-2+lenny1) stable-security; urgency=high

   * debian/control:
     - change my email address so this upload doesn't appear as a NMU.
     - build-depends on quilt patch system.
   * debian/patches/fix_CVE_2009_1760.patch: fixes torrent file path
     vulnerability, backported from upstream svn (CVE-2009-1760).

 -- Cristian Greco <email address hidden> Thu, 04 Jun 2009 03:05:08 +0200

Here's a direct link to the patch from Lenny:

http://patch-tracker.debian.org/patch/series/dl/libtorrent-rasterbar/0.13.1-2+lenny1/fix_CVE_2009_1760.patch

This seems to be the upstream svn commit:

http://libtorrent.svn.sourceforge.net/viewvc/libtorrent?view=rev&revision=3580

Changed in libtorrent-rasterbar (Ubuntu Jaunty):
status: New → Won't Fix
status: Won't Fix → New
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I will close this report against Intrepid. The issue remains open in Jaunty.

Changed in libtorrent-rasterbar (Ubuntu Intrepid):
status: New → Invalid
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010 so I'll close this report

Changed in libtorrent-rasterbar (Ubuntu Jaunty):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.