A directory traversal vulnerability in Rasterbar libtorrent might allow
a remote attacker to overwrite arbitrary files.
Background
==========
Rasterbar libtorrent is a C++ BitTorrent implementation focusing on
efficiency and scalability. Deluge is a BitTorrent client that ships a
copy of libtorrent.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/rb_libtorrent < 0.13-r1 >= 0.13-r1
2 net-p2p/deluge < 1.1.9 >= 1.1.9
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
census reported a directory traversal vulnerability in
src/torrent_info.cpp that can be triggered via .torrent files.
Impact
======
A remote attacker could entice a user or automated system using
Rasterbar libtorrent to load a specially crafted BitTorrent file to
create or overwrite arbitrary files using dot dot sequences in
filenames.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Rasterbar libtorrent users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200907-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Rasterbar libtorrent: Directory traversal
Date: July 17, 2009
Bugs: #273156, #273961
ID: 200907-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A directory traversal vulnerability in Rasterbar libtorrent might allow
a remote attacker to overwrite arbitrary files.
Background
==========
Rasterbar libtorrent is a C++ BitTorrent implementation focusing on
efficiency and scalability. Deluge is a BitTorrent client that ships a
copy of libtorrent.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/rb_libtorrent < 0.13-r1 >= 0.13-r1
2 net-p2p/deluge < 1.1.9 >= 1.1.9
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
census reported a directory traversal vulnerability in
src/torrent_info.cpp that can be triggered via .torrent files.
Impact
======
A remote attacker could entice a user or automated system using
Rasterbar libtorrent to load a specially crafted BitTorrent file to
create or overwrite arbitrary files using dot dot sequences in
filenames.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Rasterbar libtorrent users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-libs/rb_libtorrent-0.13-r1"
All Deluge users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.1.9"
References
==========
[ 1 ] CVE-2009-1760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1760
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200907-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
iQIcBAABCAAGBQJKYB/eAAoJECaaHo/OfoM5cpgP/ixbutxt0Nk+3cxOsDtAaXyB
7KLbrYVOKUqZbJ6MM6rQoSsAcvlpj0wfVYLK17rPhR5aSCMXksZeYuT8Qshil/+/
K9W64SVpDoxgRFdCluXXOdiJNmknDAjmMXKZhKC7PsKUBen45y8tjd2NWdgAxTnw
se0K2tNKR7Pvs+jirkP3GKvtLx2n/52j8/ez6hRdKA7Ej/K4xZ94iN2ory87Oh2C
KVaZ8kvHc7PUIM0gsaeagm+zETwX11FfvZV1VLXO7tLALK6o8tCB0QFxkSS71vJ8
v2ilooz/+PtI+GkHBisSvI36keT5GM1RUREgMmzsxCb0kHDJ3wIxdxSJBGi1OPMZ
f4gezHQhkQz2Gx77534fS3Xa2wvghFNsZMicz3+NsrW+slQRGwk5GsZ8r5lILPDq
U0eHvIQiGO6PyKm8h1rdV7/WM04fReF4JFsPrb4TGirFClMFzvyL9x/a/dmX4gkE
fG82WCb+gyInLC4kEGm9Bb5L4Fm6hhv2UPpzu8Us2Q4QSftxQ6nHK5lVPmjrsmty
ire4MAWd8KZw51mWbIjmdqeB1khbnYcy9gEuhcaQ85nDqqD3ft7aMQhDwXffRtiu
etZpzewhc2yRIgLzO6144DVnBdZ+O9x9YRpHBb5EsNoHBJzNmlIE8hylC0o/l1/a
nLrnbEo91yLngbcZlq9p
=Vl64
-----END PGP SIGNATURE-----
[ reply ]