| Summary: | libtorrent-rasterbar new security issue CVE-2016-7164 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, lewyssmith, mageia, marja11, pkg-bugs, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/700649/ | ||
| Whiteboard: | has_procedure MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | libtorrent-rasterbar-1.0.9-2.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | File to launch a BitTorrent download | ||
|
Description
David Walser
2016-09-08 15:08:37 CEST
Assigning to maintainer. However, CC'ing all packagers collectively, because the registered maintainer is, unfortunately, mostly MIA. @ Matteo If real life allows you to fix the issue, then please set the Status of this report to ASSIGNED, so that no one else will start working on it :-) Kind regards, Marja CC:
(none) =>
marja11, pkg-bugs Fixed for mga5 and freeze_push requested for Cauldron. CC:
(none) =>
geiger.david68210 Thanks David! Waiting for freeze push before assigning to QA. Advisory: ======================== Applications using libtorrent-rasterbar are vulnerable to denial of service. An attacker-controlled torrent tracker can crash victim torrent clients by sending malformed GZIP responses (CVE-2016-7164). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7164 http://www.openwall.com/lists/oss-security/2016/09/08/7 ======================== Updated packages in core/updates_testing: ======================== libtorrent-rasterbar7-0.16.18-1.3.mga5 python-libtorrent-rasterbar-0.16.18-1.3.mga5 libtorrent-rasterbar-devel-0.16.18-1.3.mga5 from libtorrent-rasterbar-0.16.18-1.3.mga5.src.rpm libtorrent-rasterbar-1.0.10-1.mga6 uploaded for Cauldron. Assigning to QA. This is used by qbittorrent, deluge, and miro. Advisory and package list in Comment 3. Version:
Cauldron =>
5 MGA5-32 on Acer D620 Xfce No installation issues. Opened deluge with CLI "strace -o deluge.txt deluge" and found a reference to libtorrent-rasterbar CC:
(none) =>
herman.viaene
Herman Viaene
2016-09-13 11:36:22 CEST
Whiteboard:
has_procedure =>
has_procedure MGA5-32-OK
David Walser
2016-09-14 18:58:07 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/700649/ Created attachment 8447 [details]
File to launch a BitTorrent download
This attachment can be used to launch a BitTorrent download of a Mageia 5 Gnome DVD.
Right-click the file, and the context menu offers (if you have them):
- open with Deluge
- open with qBitTorrent
which is a handy way to launch these clients to do something. You have to 'add' the selected file, then off it goes. You may need to select the torrent to see its info and control it. You can pause then remove the torrent and its associated data.CC:
(none) =>
lewyssmith Recap of the component relationships:- lib64torrent-rasterbar7 |_qbittorrent[-nox] Client program[s] |_python-libtorrent-rasterbar |_deluge Client program |_miro Client program Testing MGA5 x64. BEFORE update: lib64torrent-rasterbar7-0.16.18-1.2.mga5 python-libtorrent-rasterbar-0.16.18-1.2.mga5 Confirmed with the test file Comment 6 that these basically worked. AFTER update: lib64torrent-rasterbar7-0.16.18-1.3.mga5 python-libtorrent-rasterbar-0.16.18-1.3.mga5 Launched both qbittorrent and deluge from the test file context menu; they seemed to work OK. Validating this update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0320.html Status:
NEW =>
RESOLVED (In reply to Nicolas Lécureuil from comment #8) > Please add 19313.adv I would have done this, along with other advisories awaiting; but thanks. i was on it so i did it :) it was quick as QA team already added all the infos on the bugreport. |