Package: transmission
Severity: grave
Tags: security
The message below was reported on oss-security. CVE-2010-0749 seems
like a regular bug to me, not necessarily security-relevant, but
please upload transmission 1.92 ASAP.
Lenny isn't affected, it doesn't have support for Magnet links yet.
On a side note: Given that most Bittorrent trackers seem to block
older clients, I think we should change the update policy for Squeeze
and always introduce the recent version in stable point updates.
What do you think?
Cheers,
Moritz
> Transmission upstream has recently released latest, v1.92 version:
> [1] http://trac.transmissionbt.com/wiki/Changes
>
> fixing one (potentially two) security issues:
> a, Fix potential buffer overflow when adding maliciously-crafted
> magnet links
>
> References:
> [2] http://trac.transmissionbt.com/ticket/2965
> [3] http://trac.transmissionbt.com/wiki/Changes
> [4] http://bugs.gentoo.org/show_bug.cgi?id=309831
> Use CVE-2010-0748 for this one. I'm calling it an arbitrary memory write.
> It's not really a buffer overflow.
> b, Fix possible data corruption issue caused by data sent by bad
> peers during endgame (this one I am not completely sure of, but when
> looking at the relevant bug record:
> [5] http://trac.transmissionbt.com/ticket/1242
> there is written:
> [6] http://trac.transmissionbt.com/ticket/1242#comment:1
> "My theory is that for some reason Transmission will download a
> corrupt part from someone but not realize it until you do a
> manual verify. At this point T will recognize the bad part and
> redownload it from the same person, which just causes the
> problem again."
>
> so to prevent someone from successfully downloading content of
> some torrent file, for an attacker to should be enough to
> download a part of it, corrupt it and
> share it. Not sure about the algorithm, Transmission decides
> which torrent
> to retrieve content from, but if it is deterministic /
> predictable behavior / algorithm, such attack could succeed).
>
> References:
> [7] http://trac.transmissionbt.com/ticket/1242
> [8] http://trac.transmissionbt.com/ticket/1242#comment:1
> [9] http://trac.transmissionbt.com/wiki/Changes
>
> I'm giving this issue a CVE ID too. I think this issue is a bit on the
> fence, but given a malicious client could corrupt download data in a manner
> that is hard to fix, it should get one.
> Use CVE-2010-0749
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages transmission depends on:
pn transmission-cli <none> (no description available)
pn transmission-common <none> (no description available)
pn transmission-gtk <none> (no description available)
transmission recommends no packages.
transmission suggests no packages.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
