Bug 13735

Summary: transmission new security issue CVE-2014-4909
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dpremy, fundawang, mageia, mageia, mageia, oe, olav, ottoleipala1, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/605629/
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok advisory
Source RPM: transmission-2.82-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-13 17:46:15 CEST 
A CVE has been issued for a security issue in Transmission 2.84, released July 1:
http://openwall.com/lists/oss-security/2014/07/11/5

Cauldron has already been updated to 2.84.

Mageia 3 and Mageia 4 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-13 17:46:34 CEST

CC: (none) => fundawang, mageia, oe, olav

David Walser 2014-07-13 17:46:41 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-07-16 22:05:18 CEST 
Debian has issued an advisory for this today (July 16):
http://www.ubuntu.com/usn/usn-2279-1/

URL: (none) => http://lwn.net/Vulnerabilities/605629/

Comment 2 David Walser 2014-07-17 00:06:30 CEST 
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated transmission packages fix security vulnerability:

Ben Hawkes discovered that Transmission incorrectly handled certain peer
messages. A remote attacker could use this issue to cause a denial of
service, or possibly execute arbitrary code (CVE-2014-4909).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909
http://www.ubuntu.com/usn/usn-2279-1/
========================

Updated packages in core/updates_testing:
========================
Wrote: /home/iurt/rpmbuild/RPMS/noarch/transmission-common-2.77-1.1.mga3.noarch.rpm
transmission-cli-2.77-1.1.mga3
transmission-gtk-2.77-1.1.mga3
transmission-qt4-2.77-1.1.mga3
transmission-daemon-2.77-1.1.mga3
transmission-common-2.82-2.1.mga4
transmission-cli-2.82-2.1.mga4
transmission-gtk3-2.82-2.1.mga4
transmission-qt5-2.82-2.1.mga4
transmission-daemon-2.82-2.1.mga4

from SRPMS:
transmission-2.77-1.1.mga3.src.rpm
transmission-2.82-2.1.mga4.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs
Severity: normal => major

Comment 3 David Walser 2014-07-17 01:08:36 CEST 
Oops, fixing cosmetic issue in package list.

Advisory:
========================

Updated transmission packages fix security vulnerability:

Ben Hawkes discovered that Transmission incorrectly handled certain peer
messages. A remote attacker could use this issue to cause a denial of
service, or possibly execute arbitrary code (CVE-2014-4909).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909
http://www.ubuntu.com/usn/usn-2279-1/
========================

Updated packages in core/updates_testing:
========================
transmission-common-2.77-1.1.mga3
transmission-cli-2.77-1.1.mga3
transmission-gtk-2.77-1.1.mga3
transmission-qt4-2.77-1.1.mga3
transmission-daemon-2.77-1.1.mga3
transmission-common-2.82-2.1.mga4
transmission-cli-2.82-2.1.mga4
transmission-gtk3-2.82-2.1.mga4
transmission-qt5-2.82-2.1.mga4
transmission-daemon-2.82-2.1.mga4

from SRPMS:
transmission-2.77-1.1.mga3.src.rpm
transmission-2.82-2.1.mga4.src.rpm
Comment 4 Otto Leipälä 2014-07-17 21:55:49 CEST 
I start to testing this.

CC: (none) => ozkyster

Comment 5 David Remy 2014-07-19 04:42:20 CEST 
Tested on mga4-64. Installed transmission-gtk3-2.82-2.mga4.x86_64 and started downloading torrent. Then installed transmission-gtk3-2.82-2.1.mga4.x86_64 and started the torrent back up. Things seem to be working, no issues found, couldn't reproduce security issues, marking ok.

CC: (none) => dpremy
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 6 David Remy 2014-07-19 05:12:57 CEST 
Same test on mga4-32, started mageia-4.1-i586.iso download via torrent on transmission-gtk3-2.82-2.mga4 and then upgraded to transmission-gtk3-2.82-2.1.mga4 and started the torrent back up. Browsed around in settings and the properties of the torrent without issue. Marking ok.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok

Comment 7 Otto Leipälä 2014-07-19 16:13:25 CEST 
I have finished my testing it's ok mageia 4 and mageia 3 64 and 32bit.
Comment 8 David Walser 2014-07-19 17:02:38 CEST 
Thanks Otto.  This is ready for validation when the advisory is uploaded.

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok

Comment 9 Otto Leipälä 2014-07-19 18:17:58 CEST 
I can validate but i cant do advisory so can claire or remi sen advisory for me ?.
Otto Leipälä 2014-07-19 18:21:21 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Otto Leipälä 2014-07-19 18:22:31 CEST 
Update validated can sysadmin push this to mageia 4 and 3 updates ? and add advisory.
Comment 11 Rémi Verschelde 2014-07-26 11:42:02 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-32-ok mga3-64-ok advisory

Comment 12 Colin Guthrie 2014-07-26 14:46:52 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0298.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED