KTorrent security issue with releases <2.1.2 (Breezy - Feisty)

Bug #91174 reported by Richard Johnson on 2007-03-10
264
Affects Status Importance Assigned to Milestone
Dapper Backports
Undecided
Unassigned
Edgy Backports
Undecided
Unassigned
ktorrent (Ubuntu)
Medium
Kees Cook
Breezy
Medium
Kees Cook
Dapper
Medium
Kees Cook
Edgy
Medium
Kees Cook
Feisty
Medium
Kees Cook

Bug Description

Binary package hint: ktorrent

binary hint: ktorrent

KDE Mailing List Announcement:
  http://lists.kde.org/?l=kde-announce&m=117346514411140&w=2

KDE SVN Revision Comments
  http://websvn.kde.org/?view=rev&revision=640661

This issue affects all releases prior to the latest 2.1.2 release (from Breezy to Feisty).

Issues related to the possibility of a DoS or heap corruption by allowing idx to either be to small (negative) or to large (chunkcounter.cpp). The other issue is allowing .. in the file names (torrent.cpp). If ran with the regular user damage could be caused by overwriting user config files or directories. If ran as root, it could overwrite system files.

Richard Johnson (nixternal) wrote :

91172 in progress. accidental double posting?

Changed in ktorrent:
status: Unconfirmed → Rejected
Kees Cook (kees) wrote :

(from 91172, now dup'd)

http://websvn.kde.org/?view=rev&revision=640661

From a quick review, the changes to "torrent.cpp" are to stop arbitrary path overwrites, and the other changes are to protect against heap corruption. I haven't studied the code paths too much, but it feels like a very dedicated attacker could manage to get arbitrary code execution.

Changed in ktorrent:
importance: Undecided → Medium
status: Rejected → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
Richard Johnson (nixternal) wrote :

Edgy debdiff

Richard Johnson (nixternal) wrote :

Dapper debdiff

Richard Johnson (nixternal) wrote :

IGNORE PREVIOUS ATTACHMENTS - TYPO

Richard Johnson (nixternal) wrote :

Edgy fix

Richard Johnson (nixternal) wrote :

Dapper fix

Changed in ktorrent:
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
Richard Johnson (nixternal) wrote :

Feisty fix

Changed in ktorrent:
status: Confirmed → Fix Committed
Richard Johnson (nixternal) wrote :

Breezy Fix - someone with a Breezy setup double test this for me please. Thanks!

Changed in ktorrent:
status: Confirmed → Fix Committed
Kees Cook (kees) wrote :

Thanks for getting these put together. I'll test them all including breezy. I adjusted your debdiffs to include the assigned CVEs, and to use the -security pocket.

Changed in ktorrent:
assignee: nobody → keescook
assignee: nobody → keescook
assignee: nobody → keescook
assignee: nobody → keescook
Kees Cook (kees) wrote :

Hm, looks like the patch "system" in the dapper and edgy packages need manual changes to the debian/rules files. I've adjusted them.

Richard Johnson (nixternal) wrote :

Kees,

Rock on! Thanks for helping me with this. If you have any issues, just ping me on IRC this evening as I will be around to help out if needed. Thanks again!

Kees Cook (kees) on 2007-03-13
Changed in ktorrent:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Kees Cook (kees) wrote :

You're welcome! Thanks again for getting the patches ready. :)

For completeness, the USN for this update is:

http://www.ubuntu.com/usn/usn-436-1

John Dong (jdong) wrote :

Feisty version also approved for edgy and dapper backports to fix this USN for Backports users.

Changed in dapper-backports:
status: Unconfirmed → In Progress
Changed in edgy-backports:
status: Unconfirmed → In Progress
Tollef Fog Heen (tfheen) wrote :

 * Trying to backport ktorrent...
  - <ktorrent_2.1.orig.tar.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.diff.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.dsc: downloading from librarian>
I: Extracting ktorrent_2.1-0ubuntu2.dsc ... done.
I: Building backport of ktorrent-2.1 as 2.1-0ubuntu2~edgy1 ... done.

Changed in edgy-backports:
status: In Progress → Fix Released
Tollef Fog Heen (tfheen) wrote :

 * Trying to backport ktorrent...
  - <ktorrent_2.1.orig.tar.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.diff.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.dsc: downloading from librarian>
I: Extracting ktorrent_2.1-0ubuntu2.dsc ... done.
I: Building backport of ktorrent-2.1 as 2.1-0ubuntu2~dapper1 ... done.

Changed in dapper-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers