Your message dated Thu, 22 Mar 2007 11:17:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#414832: fixed in ktorrent 2.0.3+dfsg1-2.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: ktorrent
Version: 2.1-1~mdx1
Severity: grave
Tags: patch security
Justification: user security hole
I came across this piece of news:
http://www.heise-security.co.uk/news/86661 which explains very briefly
about two security issues in ktorrent. These have been solved on
ktorrent 2.1.2 as explained on http://ktorrent.org/forum/viewtopic.php?t=1401
I know the frozen version is 2.0.3 which is somewhat "far" from the
fixed version, so I looked into the svn
respository(svn://anonsvn.kde.org/home/kde/trunk/extragear/network/ktorrent)
and found that commit 640661 fixes the bug. I also attach it as patch,
I hope it could apply cleanly to the frozen version.
Thanks.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (800, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20rs
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Versions of packages ktorrent depends on:
ii kdelibs4c2a 4:3.5.6.r1.dfsg.1-2 core libraries and binaries for al
ii libacl1 2.2.42-1 Access control list shared library
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libattr1 1:2.4.32-1.1 Extended attribute shared library
ii libaudio2 1.8-3 The Network Audio System (NAS). (s
ii libavahi-client3 0.6.16-3 Avahi client library
ii libavahi-common3 0.6.16-3 Avahi common library
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgamin0 [libfam0] 0.1.8-1 Client library for the gamin file
ii libgcc1 1:4.1.1-21 GCC support library
ii libgmp3c2 2:4.2.1+dfsg-4 Multiprecision arithmetic library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libqt3-mt 3:3.3.7-3 Qt GUI Library (Threaded runtime v
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-6 X11 client-side library
ii libxcursor1 1.1.7-4 X cursor management library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library
ii libxrender1 1:0.9.1-3 X Rendering Extension client libra
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3-13 compression library - runtime
ktorrent recommends no packages.
-- no debconf information
Index: libktorrent/torrent/torrent.cpp
===================================================================
--- libktorrent/torrent/torrent.cpp (revisión: 640660)
+++ libktorrent/torrent/torrent.cpp (revisión: 640661)
@@ -163,9 +163,15 @@
if (!v || v->data().getType() != Value::STRING)
throw Error(i18n("Corrupted torrent!"));
- path += v->data().toString(encoding);
- if (j + 1 < ln->getNumChildren())
- path += bt::DirSeparator();
+ QString sd = v->data().toString(encoding);
+ // check for weirdness like .. ,
+ // we don't want to write outside the user specified directories
+ if (sd != "..")
+ {
+ path += sd;
+ if (j + 1 < ln->getNumChildren())
+ path += bt::DirSeparator();
+ }
}
// we do not want empty dirs
Index: libktorrent/torrent/chunkcounter.cpp
===================================================================
--- libktorrent/torrent/chunkcounter.cpp (revisión: 640660)
+++ libktorrent/torrent/chunkcounter.cpp (revisión: 640661)
@@ -59,12 +59,13 @@
void ChunkCounter::inc(Uint32 idx)
{
- cnt[idx]++;
+ if (idx < cnt.size())
+ cnt[idx]++;
}
void ChunkCounter::dec(Uint32 idx)
{
- if (cnt[idx] > 0)
+ if (idx < cnt.size() && cnt[idx] > 0)
cnt[idx]--;
}
Index: libktorrent/torrent/peer.cpp
===================================================================
--- libktorrent/torrent/peer.cpp (revisión: 640660)
+++ libktorrent/torrent/peer.cpp (revisión: 640661)
@@ -193,11 +193,21 @@
{
Out() << "len err HAVE" << endl;
kill();
- return;
}
-
- haveChunk(this,ReadUint32(tmp_buf,1));
- pieces.set(ReadUint32(tmp_buf,1),true);
+ else
+ {
+ Uint32 ch = ReadUint32(tmp_buf,1);
+ if (ch < pieces.getNumBits())
+ {
+ haveChunk(this,ch);
+ pieces.set(ch,true);
+ }
+ else
+ {
+ Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl;
+ kill();
+ }
+ }
break;
case BITFIELD:
if (len != 1 + pieces.getNumBytes())
Index: apps/ktorrent/main.cpp
===================================================================
--- apps/ktorrent/main.cpp (revisión: 640660)
+++ apps/ktorrent/main.cpp (revisión: 640661)
@@ -108,6 +108,7 @@
about.addCredit("Dagur Valberg Johannsson",I18N_NOOP("Coldmilk webgui"),"[EMAIL PROTECTED]");
about.addCredit("Alexander Dymo",I18N_NOOP("IDEAl code from KDevelop"),"[EMAIL PROTECTED]");
about.addCredit("Scott Wolchok",I18N_NOOP("Conversion speed improvement in ipfilter plugin"),"[EMAIL PROTECTED]");
+ about.addCredit("Bryan Burns of Juniper Networks",I18N_NOOP("Discovered 2 security vulnerabilities (both are fixed)"),0);
KCmdLineArgs::init(argc, argv, &about);
KCmdLineArgs::addCmdLineOptions(options);
--- End Message ---
--- Begin Message ---
Source: ktorrent
Source-Version: 2.0.3+dfsg1-2.1
We believe that the bug you reported is fixed in the latest version of
ktorrent, which is due to be installed in the Debian FTP archive:
ktorrent_2.0.3+dfsg1-2.1.diff.gz
to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2.1.diff.gz
ktorrent_2.0.3+dfsg1-2.1.dsc
to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2.1.dsc
ktorrent_2.0.3+dfsg1-2.1_amd64.deb
to pool/main/k/ktorrent/ktorrent_2.0.3+dfsg1-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <[EMAIL PROTECTED]> (supplier of updated ktorrent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 22 Mar 2007 11:11:20 +0100
Source: ktorrent
Binary: ktorrent
Architecture: source amd64
Version: 2.0.3+dfsg1-2.1
Distribution: unstable
Urgency: high
Maintainer: Joel Johnson <[EMAIL PROTECTED]>
Changed-By: Pierre Habouzit <[EMAIL PROTECTED]>
Description:
ktorrent - BitTorrent client for KDE
Closes: 414830 414832
Changes:
ktorrent (2.0.3+dfsg1-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix security issue (Closes: 414832, 414830):
+ drop patch from #414832 in debian/patches.
+ use quilt as a patches management system to deal with it.
+ urgency set to high due to RC bugfix.
Files:
0918857e98518996c891d6c0bcfd51f1 663 kde optional ktorrent_2.0.3+dfsg1-2.1.dsc
e210f4dad18fcbcdd4d41dcad502557a 5544 kde optional
ktorrent_2.0.3+dfsg1-2.1.diff.gz
4cea68a9ea4d948a5feeef658bdb02d1 1583504 kde optional
ktorrent_2.0.3+dfsg1-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGAmG0vGr7W6HudhwRAqvzAJ9rT2HhkzJ98Jff2xuDyk3WgylFuQCfUFaL
t05wZTqC1eq46avtriUAkBY=
=9iYO
-----END PGP SIGNATURE-----
--- End Message ---