Multiple security vulnerabilities in Edgy

Bug #155491 reported by Cameron Dale on 2007-10-21
Affects Status Importance Assigned to Milestone
torrentflux (Ubuntu)
Kees Cook

Bug Description

Binary package hint: torrentflux

There are many security vulnerabilities in the torrentflux version present in Edgy that were fixed in later versions of the Debian package. The Edgy version is based on Debian's 2.1-1, while 2.1-7 includes all of the fixes to these security vulnerabilities:

 - fix minor XSS vulnerability in admin.php, issue CVE-2006-5227
 - sanitize html entities to fix the security issue CVE-2006-5451
 - fixed the directroy traversal vulnerability, issue CVE-2006-5609
 - sanitize file inputs, issues CVE-2006-6328, CVE-2006-6329, CVE-2006-6330, CVE-2006-6598
 - remote command execution in metaInfo.php, issue CVE-2006-6331
 - possible XSS vulnerability due to urldecode, CVE-2006-6600
 - remote command execution in maketorrent.php, issue CVE-2006-6599
 - more possible fixes just to be safe, issue CVE-2006-6604

All of these vulnerabilities are relatively minor, as they all require a logged in user to exploit them.

To fix them, the changes from Debian's version 2.1-7 can be easily ported by including the following dpatch files from the Debian package (and removing the ubuntu created 05_sanitize_html_entities.dpatch as it only partially solves the problem):


I am preparing an updated package to fix these issues, and will post it here when it's done.

I have successfully built a modified package that contains all these fixes, and the debdiff for torrentflux_2.1-1ubuntu0.1 to torrentflux_2.1-1ubuntu0.2 is attached. The changes are pretty simple, though the debdiff runs to some 939 lines they are mostly just including dpatch files that are available in the Debian package of torrentflux (2.1-7 or newer). Here is the diffstat:

 debian/patches/05_sanitize_html_entities.dpatch | 26 --
 debian/patches/06_sanitize_html_entities.dpatch | 244 ++++++++++++++++++++
 debian/patches/09_fix_directory_traversal.dpatch | 18 +
 debian/patches/10_sanitize_file_input.dpatch | 179 ++++++++++++++
 debian/patches/11_missed_security_fixes.dpatch | 135 +++++++++++
 debian/patches/12_metaInfo_remote_command.dpatch | 43 +++
 debian/patches/13_possible_xss_vulnerability.dpatch | 58 ++++
 debian/patches/14_maketorrent_remote_command.dpatch | 19 +
 debian/patches/15_additional_possible_fixes.dpatch | 126 ++++++++++
 torrentflux-2.1/debian/changelog | 27 ++
 torrentflux-2.1/debian/patches/00list | 9
 11 files changed, 857 insertions(+), 27 deletions(-)

You can see that other than updating the changelog and 00list files, all I have done is removed 05_sanitize_html_entities.dpatch and added the other patch files (I only included the ones with security fixes, not that fixed other bugs). If you want, you can check that the dpatch files in the new version are the same as the ones in the Debian torrentflux package by downloading the latest torrentflux version, which includes the same dpatch files though they are no longer used due to upstream fixes.

Though I was able to build the new package successfully in a pbuilder for Edgy, I no longer have an edgy machine to install the new version on to test that everything works properly. However, I am VERY familiar with the changes made here and the package in general, and I'm confident that these changes will cause no problems in edgy. I was able to install this version and use it in gutsy without any problems.

Changed in torrentflux:
status: New → In Progress
Andrea Veri (av) wrote :

The debdiff looks great, I've already pinged Kees about this. Just two minor things:
1) change the release to point to edgy-security
2) add a reference point for the bug number, maybe at the top of the bug, so archive-admins can easily review the upload with your debdiff and accept this in.

Thanks for working on this, cameron.

Changed in torrentflux:
importance: Undecided → Medium
status: In Progress → Confirmed

I updated the debdiff to incorporate Andrea's suggestions.

Kees Cook (kees) wrote :

Thanks for the patches! I've got this building in the security queue now and it will be published shortly.

Changed in torrentflux:
assignee: nobody → keescook
status: Confirmed → Fix Committed
Andrea Veri (av) wrote :

Thanks a lot Kees for having this done. There were too many security issues on torrentflux edgy's package, but now I'm happy to see everything fixed up.

William Grant (wgrant) on 2007-11-09
Changed in torrentflux:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers