KTorrent security issue with releases <2.1.2 (Breezy - Feisty)

Bug #91174 reported by Rich Johnson
264
Affects Status Importance Assigned to Milestone
Dapper Backports
Fix Released
Undecided
Unassigned
Edgy Backports
Fix Released
Undecided
Unassigned
ktorrent (Ubuntu)
Fix Released
Medium
Kees Cook
Breezy
Fix Released
Medium
Kees Cook
Dapper
Fix Released
Medium
Kees Cook
Edgy
Fix Released
Medium
Kees Cook
Feisty
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: ktorrent

binary hint: ktorrent

KDE Mailing List Announcement:
  http://lists.kde.org/?l=kde-announce&m=117346514411140&w=2

KDE SVN Revision Comments
  http://websvn.kde.org/?view=rev&revision=640661

This issue affects all releases prior to the latest 2.1.2 release (from Breezy to Feisty).

Issues related to the possibility of a DoS or heap corruption by allowing idx to either be to small (negative) or to large (chunkcounter.cpp). The other issue is allowing .. in the file names (torrent.cpp). If ran with the regular user damage could be caused by overwriting user config files or directories. If ran as root, it could overwrite system files.

Revision history for this message
Rich Johnson (nixternal) wrote :

91172 in progress. accidental double posting?

Changed in ktorrent:
status: Unconfirmed → Rejected
Revision history for this message
Kees Cook (kees) wrote :

(from 91172, now dup'd)

http://websvn.kde.org/?view=rev&revision=640661

From a quick review, the changes to "torrent.cpp" are to stop arbitrary path overwrites, and the other changes are to protect against heap corruption. I haven't studied the code paths too much, but it feels like a very dedicated attacker could manage to get arbitrary code execution.

Changed in ktorrent:
importance: Undecided → Medium
status: Rejected → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
importance: Undecided → Medium
status: Unconfirmed → Confirmed
Revision history for this message
Rich Johnson (nixternal) wrote :

Edgy debdiff

Revision history for this message
Rich Johnson (nixternal) wrote :

Dapper debdiff

Revision history for this message
Rich Johnson (nixternal) wrote :

IGNORE PREVIOUS ATTACHMENTS - TYPO

Revision history for this message
Rich Johnson (nixternal) wrote :

Edgy fix

Revision history for this message
Rich Johnson (nixternal) wrote :

Dapper fix

Changed in ktorrent:
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
Revision history for this message
Rich Johnson (nixternal) wrote :

Feisty fix

Changed in ktorrent:
status: Confirmed → Fix Committed
Revision history for this message
Rich Johnson (nixternal) wrote :

Breezy Fix - someone with a Breezy setup double test this for me please. Thanks!

Changed in ktorrent:
status: Confirmed → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting these put together. I'll test them all including breezy. I adjusted your debdiffs to include the assigned CVEs, and to use the -security pocket.

Changed in ktorrent:
assignee: nobody → keescook
assignee: nobody → keescook
assignee: nobody → keescook
assignee: nobody → keescook
Revision history for this message
Kees Cook (kees) wrote :

Hm, looks like the patch "system" in the dapper and edgy packages need manual changes to the debian/rules files. I've adjusted them.

Revision history for this message
Rich Johnson (nixternal) wrote :

Kees,

Rock on! Thanks for helping me with this. If you have any issues, just ping me on IRC this evening as I will be around to help out if needed. Thanks again!

Kees Cook (kees)
Changed in ktorrent:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

You're welcome! Thanks again for getting the patches ready. :)

For completeness, the USN for this update is:

http://www.ubuntu.com/usn/usn-436-1

Revision history for this message
John Dong (jdong) wrote :

Feisty version also approved for edgy and dapper backports to fix this USN for Backports users.

Changed in dapper-backports:
status: Unconfirmed → In Progress
Changed in edgy-backports:
status: Unconfirmed → In Progress
Revision history for this message
Tollef Fog Heen (tfheen) wrote :

 * Trying to backport ktorrent...
  - <ktorrent_2.1.orig.tar.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.diff.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.dsc: downloading from librarian>
I: Extracting ktorrent_2.1-0ubuntu2.dsc ... done.
I: Building backport of ktorrent-2.1 as 2.1-0ubuntu2~edgy1 ... done.

Changed in edgy-backports:
status: In Progress → Fix Released
Revision history for this message
Tollef Fog Heen (tfheen) wrote :

 * Trying to backport ktorrent...
  - <ktorrent_2.1.orig.tar.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.diff.gz: downloading from librarian>
  - <ktorrent_2.1-0ubuntu2.dsc: downloading from librarian>
I: Extracting ktorrent_2.1-0ubuntu2.dsc ... done.
I: Building backport of ktorrent-2.1 as 2.1-0ubuntu2~dapper1 ... done.

Changed in dapper-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.