Bug 7590

Summary: transmission - new security issue CVE-2012-4037
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: mageia, marc.lattemann, olav, qa-bugs, sysadmin-bugs, tmb, wassi
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/517656/
Whiteboard: MGA2-32-OK MGA2-64-OK
Source RPM: transmission-2.51-1.1.mga2.src.rpm CVE:
Status comment:
Attachments: used torrent-file for testing

Description David Walser 2012-09-26 20:18:35 CEST 
Ubuntu has issued an advisory today (September 26):
http://www.ubuntu.com/usn/usn-1584-1/

According to the CVE entry, it's fixed upstream in 2.61, which is in Cauldron.

Ubuntu should have a patch for 2.51, which we have in Mageia 2.

Ubuntu wasn't able to reproduce the issue with 2.33 and 2.13, so Mageia 1 may not be affected.
David Walser 2012-09-26 20:18:48 CEST

CC: (none) => olav

Comment 1 Damien Lallement 2012-10-08 18:28:15 CEST 
Package available in core/update_testing.

Status: NEW => ASSIGNED
Hardware: i586 => All
Assignee: mageia => qa-bugs
Summary: transmission new security issue CVE-2012-4037 => [Update Request] transmission - new security issue CVE-2012-4037
Source RPM: transmission-2.51-1.mga2.src.rpm => transmission-2.51-1.1.mga2.src.rpm

Comment 2 David Walser 2012-10-08 18:38:29 CEST 
Thanks Damien!

Advisory:
========================

Updated transmission packages fix security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in the web client in
Transmission before 2.61 allow remote attackers to inject arbitrary web
script or HTML via the (1) comment, (2) created by, or (3) name field in a
torrent file (CVE-2012-4037).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037
http://www.ubuntu.com/usn/usn-1584-1/
========================

Updated packages in core/updates_testing:
========================
transmission-common-2.51-1.1.mga2
transmission-cli-2.51-1.1.mga2
transmission-gtk-2.51-1.1.mga2
transmission-qt4-2.51-1.1.mga2
transmission-daemon-2.51-1.1.mga2

from transmission-2.51-1.1.mga2.src.rpm
Comment 3 Marc Lattemann 2012-10-08 19:15:27 CEST 
PoC: http://archives.neohapsis.com/archives/fulldisclosure/2012-07/0349.html

Will try to test on x86_64

CC: (none) => marc.lattemann

Comment 4 Marc Lattemann 2012-10-08 21:37:55 CEST 
the packages in Core Updates have already version 2.51-1.1. The subrel needes to be updated?
However using PoC from Comment #3 (the torrents there are not working, but I've created ones with xss-code in comment section) the packages from Updates_testing do not show the vulnerability anymore.
tested x86_64 and i586 for mga2
Comment 5 Marc Lattemann 2012-10-08 21:51:56 CEST 
Created attachment 2935 [details]
used torrent-file for testing

I've uploaded the test-file I used.
Comment 6 Marc Lattemann 2012-10-08 22:04:53 CEST 
testing on mga1 reveal that bug is also valid for mga1 (version 2.22-1.1 from i586) using the attached test-file.
user7 2012-10-09 02:44:10 CEST

CC: (none) => wassi
Whiteboard: (none) => MGA1TOO MGA2-32-OK MGA2-64-OK

Comment 7 Damien Lallement 2012-10-09 14:24:46 CEST 
(In reply to comment #4)
> the packages in Core Updates have already version 2.51-1.1. The subrel needes
> to be updated?

Thank you, new package available: transmission-2.51-1.2.mga2
transmission-common-2.51-1.2.mga2
transmission-cli-2.51-1.2.mga2
transmission-gtk-2.51-1.2.mga2
transmission-qt4-2.51-1.2.mga2
transmission-daemon-2.51-1.2.mga2

from transmission-2.51-1.2.mga2.src.rpm

CC: (none) => mageia

Comment 8 Marc Lattemann 2012-10-09 15:49:20 CEST 
updated packages worked as expected on i586 and x86_64.

The update could be validated at least for mga2. But what should be done with mga1? Should there be opened a new bug for it?
Comment 9 David Walser 2012-10-09 16:21:51 CEST 
(In reply to comment #8)
> updated packages worked as expected on i586 and x86_64.
> 
> The update could be validated at least for mga2. But what should be done with
> mga1? Should there be opened a new bug for it?

If it is affected, we should try to fix that too before releasing this.
Comment 10 David Walser 2012-10-11 14:28:03 CEST 
It looks like backporting the patch is non-trivial.  It might be easier to backport 2.51 to Mageia 1.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia
Summary: [Update Request] transmission - new security issue CVE-2012-4037 => transmission - new security issue CVE-2012-4037

Comment 11 David Walser 2012-10-17 13:30:50 CEST 
I tried building 2.51 locally on Mageia 1.  If you change the BuildRequires pkgconfig(gtk+3.0) to gtk+2-devel, it will attempt to build against gtk+2, so that's good, but it fails at "CCLD transmission-cli" linking, so I don't know how to fix that.
Comment 12 Damien Lallement 2012-10-29 16:10:32 CET 
I will open an other bug for Mageia 1 as I need to investigate for this issue.
Reassingin to QA.

Assignee: mageia => qa-bugs
Whiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK => MGA2-32-OK MGA2-64-OK

Comment 13 David Walser 2012-10-29 16:13:04 CET 
Thanks.  Please CC me on the new bug.

This one can be validated with the following advisory.

Advisory:
========================

Updated transmission packages fix security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in the web client in
Transmission before 2.61 allow remote attackers to inject arbitrary web
script or HTML via the (1) comment, (2) created by, or (3) name field in a
torrent file (CVE-2012-4037).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037
http://www.ubuntu.com/usn/usn-1584-1/
========================

Updated packages in core/updates_testing:
========================
transmission-common-2.51-1.2.mga2
transmission-cli-2.51-1.2.mga2
transmission-gtk-2.51-1.2.mga2
transmission-qt4-2.51-1.2.mga2
transmission-daemon-2.51-1.2.mga2

from transmission-2.51-1.2.mga2.src.rpm
Comment 14 claire robinson 2012-10-29 18:20:45 CET 
Thankyou.

Validating (mga2 only)

See comment 13 for advisory and srpm

Could sysadmin please push from core/updates_testing to core/updates

This bug can then be closed.

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2012-10-29 18:40:04 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0314

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED