Bug 25507

Summary: Qbittorrent new release update to 4.1.8 (fixes CVE-2019-13640)
Product: Mageia Reporter: Jose Manuel López <joselp>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, matteo.pasotti, smelror, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: qbittorrent-4.1.6-1.mga7.src.rpm CVE:
Status comment:

Description Jose Manuel López 2019-09-30 17:39:38 CEST 
Description of problem: Qbittorrent new version 4.1.8 has been published. Qbittorrent version is 4.1.6 in Mageia 7.1

Version-Release number of selected component (if applicable): Qbittorrent 


How reproducible: Go to Rpmdrake and check the Qbittorrent version. Qbittorrent version is 4.1.6 in Mageia 7.1


Steps to Reproduce:
1. Go to the official web Qbittorrent: "https://www.qbittorrent.org/news.php" and see the announcement of the new version 4.1.8.
2. Check the Mageia Qbittorrent version.
3. The Qbittorrent version of Mageia is outdated.
Comment 1 Lewis Smith 2019-10-01 09:32:34 CEST 
Thank you Jose for pointing this out.
Assigning to the 'qbittorrent' registered maintainer to judge the matter.

Assignee: bugsquad => matteo.pasotti

Comment 2 David Walser 2019-11-26 21:19:06 CET 
Additionally, 4.1.7 fixed a security issue.

openSUSE has issued an advisory for this on August 25:
https://lists.opensuse.org/opensuse-updates/2019-08/msg00195.html

QA Contact: (none) => security
Assignee: matteo.pasotti => smelror
CC: (none) => matteo.pasotti
Component: RPM Packages => Security
Summary: Qbittorrent new release update to 4.1.8 => Qbittorrent new release update to 4.1.8 (fixes CVE-2019-13640)
Source RPM: Qbittorrent => qbittorrent-4.1.6-1.mga7.src.rpm

Comment 3 David GEIGER 2019-12-10 16:06:45 CET 
Done for mga7 updating to 4.1.9.1.

CC: (none) => geiger.david68210

Comment 4 David Walser 2019-12-10 22:57:47 CET 
Advisory:
========================

Updated qbittorrent packages fix security vulnerability:

In qBittorrent before 4.1.7, the function Application::runExternalProgram()
located in app/application.cpp allows command injection via shell
metacharacters in the torrent name parameter or current tracker parameter, as
demonstrated by remote command execution via a crafted name within an RSS feed
(CVE-2019-13640).

The qbittorrent package has been updated to version 4.1.9.1, fixing this issue
and several others.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640
https://www.qbittorrent.org/news.php
https://lists.opensuse.org/opensuse-updates/2019-08/msg00195.html
========================

Updated packages in core/updates_testing:
========================
qbittorrent-4.1.9.1-1.mga7
qbittorrent-nox-4.1.9.1-1.mga7

from qbittorrent-4.1.9.1-1.mga7.src.rpm

Assignee: smelror => qa-bugs
CC: (none) => smelror

Comment 5 Jose Manuel López 2019-12-11 09:02:50 CET 
Hi,

I've installed the new version 4.1.9 in Mageia 7 Plasma Virtualbox x64. Works fine. The search, download and boot, works without problems.

Greetings.
David Walser 2019-12-11 14:21:50 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2019-12-12 21:50:00 CET 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Rémi Verschelde 2019-12-13 16:57:08 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-12-13 19:27:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0379.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED