Bug 18624

Summary: libtorrent-rasterbar new DoS security issue (CVE-2016-5301)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/691093/
Whiteboard: advisory MGA5-64-OK
Source RPM: libtorrent-rasterbar-1.0.9-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-06-04 23:39:19 CEST 
A security issue was reported and fixed upstream in libtorrent-rasterbar:
http://openwall.com/lists/oss-security/2016/06/04/9

The fix in the 1.0 branch is here:
https://github.com/arvidn/libtorrent/commit/22099cec46741417a6fb6df560468eb64655db33

I don't know if it affects 0.16.18 in Mageia 5.
Comment 1 David Walser 2016-06-05 19:32:46 CEST 
CVE-2016-5301 has been assigned:
http://openwall.com/lists/oss-security/2016/06/05/1

Summary: libtorrent-rasterbar new DoS security issue => libtorrent-rasterbar new DoS security issue (CVE-2016-5301)

Comment 2 David Walser 2016-06-13 21:56:55 CEST 
Debian-LTS has issued an advisory for this on June 11:
http://lwn.net/Alerts/691074/

So, it does indeed affect Mageia 5.  You should be able to get a patch from them.

URL: (none) => http://lwn.net/Vulnerabilities/691093/
Whiteboard: (none) => MGA5TOO

Comment 3 David Walser 2016-06-30 17:44:04 CEST 
Fixed in libtorrent-rasterbar-1.0.9-2.mga6 in Cauldron by David.  Thanks!

CC: (none) => geiger.david68210
Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David GEIGER 2016-06-30 18:31:15 CEST 
Fixed for mga5 too.
Comment 5 David Walser 2016-06-30 18:46:45 CEST 
Thanks David!

This is used by qbittorrent, deluge, and miro.

Advisory:
========================

Updated libtorrent-rasterbar packages fix security vulnerability:

A specially crafted HTTP response from a tracker (or potentially a UPnP
broadcast) can crash libtorrent-rasterbar in the parse_chunk_header() function.
Although this function is not present in this version, upstream's additional
sanity checks were added to abort the program if necessary instead of crashing
it (CVE-2016-5301).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5301
http://lwn.net/Alerts/691074/
========================

Updated packages in core/updates_testing:
========================
libtorrent-rasterbar7-0.16.18-1.2.mga5
python-libtorrent-rasterbar-0.16.18-1.2.mga5
libtorrent-rasterbar-devel-0.16.18-1.2.mga5

from libtorrent-rasterbar-0.16.18-1.2.mga5.src.rpm

Assignee: matteo.pasotti => qa-bugs

Comment 6 Dave Hodgins 2016-07-05 16:53:56 CEST 
Just testing that deluge works.

advisory committed to svn.

validating the update

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2016-07-05 17:48:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED