Package: transmission-daemon Version: 2.52-3 Severity: grave Tags: security patch upstream Justification: user security hole
The transmission-daemon package in wheezy crashes regularly. According to upstream this is a remote security hole (at least a remote DoS, but most probably there is a way to take control of the process). https://trac.transmissionbt.com/ticket/5044 https://trac.transmissionbt.com/ticket/5002 Apparently there is no CVE assigned. The bug is fixed upstream and I’m attaching the patch. I’m currently testing a patched package, and will report whether the fix is sufficient. Cheers, -- .''`. Josselin Mouette : :' : `. `' `-
Index: trunk/third-party/libutp/utp.cpp =================================================================== --- trunk/third-party/libutp/utp.cpp (revision 13645) +++ trunk/third-party/libutp/utp.cpp (revision 13646) @@ -1488,4 +1488,6 @@ } +enum { MAX_EACK = 128 }; + void UTPSocket::selective_ack(uint base, const byte *mask, byte len) { @@ -1500,5 +1502,5 @@ // iterate in reverse over the acked packets, at the end, the top packets // are the ones we want to resend - int resends[32]; + int resends[MAX_EACK]; int nr = 0; @@ -1573,4 +1575,10 @@ count >= DUPLICATE_ACKS_BEFORE_RESEND && duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) { + // resends is a stack, and we're mostly interested in the top of it + // if we're full, just throw away the lower half + if (nr >= MAX_EACK - 2) { + memmove(resends, &resends[MAX_EACK/2], MAX_EACK/2 * sizeof(resends[0])); + nr -= MAX_EACK / 2; + } resends[nr++] = v; LOG_UTPV("0x%08x: no ack for %u", this, v); @@ -1581,11 +1589,10 @@ } while (--bits >= -1); - if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) < 256 && - count >= DUPLICATE_ACKS_BEFORE_RESEND && - duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) { + if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE && + count >= DUPLICATE_ACKS_BEFORE_RESEND) { // if we get enough duplicate acks to start // resending, the first packet we should resend // is base-1 - resends[nr++] = base - 1; + resends[nr++] = (base - 1) & ACK_NR_MASK; } else { LOG_UTPV("0x%08x: not resending %u count:%d dup_ack:%u fast_resend_seq_nr:%u",