Ubuntu
libtorrent-rasterbar package

Update libtorrent-rasterbar to 1.0.6 - Fix DRDoS critical bug

  1. Trusty (14.04)
  2. Bug #1490250
Bug #1490250 reported by Xavier Guillot
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libtorrent-rasterbar (Ubuntu)
Fix Released
Undecided
Andrew Starr-Bochicchio
Precise
Won't Fix
Undecided
Unassigned
Trusty
Incomplete
Undecided
Unassigned
Vivid
Incomplete
Undecided
Unassigned

Bug Description

Hi,

Sorry to create deliberately a duplicate, but even if original bug was assigned I'm not sure who receive all the updates and I can't modify the existing one to declare it as security concerned, now:

https://bugs.launchpad.net/bugs/1485365

A critical vulnerability has just been patched against DRDoS in the BitTorrent ecosystem, regarding libtorrent-rasterbar library.

As Debian package has already been updated in experimental: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785676

I guess it should be easy now for Ubuntu to make version 1.0.6 with the fix available for all distributions, as clients such Deluge and qBitTorrent depend from libtorrent-rasterbar.

Transmission seems not concerned: https://trac.transmissionbt.com/ticket/5984

And Vuze is working on it, package will have to be updated short after their next release: http://forum.vuze.com/Thread-Update-Vuze-with-libuTP-patch-to-correct-bug-allowing-DRDoS-attacks

Here are data on this bug:
http://blog.bittorrent.com/2015/08/27/mitigating-drdos-vulnerability-in-the-bittorrent-ecosystem/
https://github.com/arvidn/libtorrent/commit/677e64275405a3a2fd9017c8b4c51f9cc5e0a2e1
http://www.researchgate.net/publication/280878634_P2P_File-Sharing_in_Hell_Exploiting_BitTorrent_Vulnerabilities_to_Launch_Distributed_Reflective_DoS_Attacks

Moreover, libtorrent-rasterbar version 0.15.10 (present in Ubuntu Precise and Debian wheezy), 0.16.18 (Ubuntu Vivid, Debian sid, jessie)... are also affected by CVE-2015-5685:
https://security-tracker.debian.org/tracker/CVE-2015-5685

Thanks and best regards,

Xavier Guillot

See original description
Xavier Guillot (valeryan-24)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libtorrent-rasterbar (Ubuntu):
status: New → Confirmed
Xavier Guillot (valeryan-24)
description: updated
Andrew Starr-Bochicchio (andrewsomething)
Changed in libtorrent-rasterbar (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Andrew Starr-Bochicchio (andrewsomething)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in libtorrent-rasterbar (Ubuntu):
status: In Progress → Incomplete
Changed in libtorrent-rasterbar (Ubuntu Precise):
status: New → Incomplete
Changed in libtorrent-rasterbar (Ubuntu Trusty):
status: New → Incomplete
Changed in libtorrent-rasterbar (Ubuntu Vivid):
status: New → Incomplete
Changed in libtorrent-rasterbar (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

This bug was fixed in the package libtorrent-rasterbar - 1.0.6-2

---------------
libtorrent-rasterbar (1.0.6-2) unstable; urgency=medium

  * Upload to unstable (Closes: #791176).

 -- Andrew Starr-Bochicchio <email address hidden> Sat, 29 Aug 2015 12:55:09 -0400

libtorrent-rasterbar (1.0.6-1) experimental; urgency=medium

  * New upstream release (Closes: #785676).
   - Bump library soname.
  * Drop fix-python-build-missing-byteshpp.patch, applied upstream.
  * python-clean-without-bjam.patch: Only use bjam when '--bjam'
    is passed explicitly.
  * Bump Standards-Version to 3.9.6, no changes.
  * Point debian/watch at GitHub.

 -- Andrew Starr-Bochicchio <email address hidden> Sat, 01 Aug 2015 18:03:37 -0400

Changed in libtorrent-rasterbar (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in libtorrent-rasterbar (Ubuntu Precise):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.