Debian-LTS has issued an advisory on September 20: http://lwn.net/Alerts/657975/ According to the Debian bug, it was fixed upstream in 1.0.6 (so Cauldron is fine), and they have a link to the upstream commit to fix it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797046 Reproducible: Steps to Reproduce:
@David: I just tried to fix libtorrent-rasterbar-0.16.18-1.mga5 but unsuccessfully. http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20151025162015.daviddavid.valstar.20672/log/libtorrent-rasterbar-0.16.18-1.1.mga5/build.0.20151025162029.log
CC: (none) => geiger.david68210
I guess the patch needs to be adapted or it's dependent on some other intermediate commit.
So ok done! :) libtorrent-rasterbar-0.16.18 from mga5 is now fixed.
Nice job David, thanks! Advisory: ======================== Updated libtorrent-rasterbar packages fix security vulnerability: The lazy_bdecode function in BitTorrent DHT bootstrap server (bootstrap-dht ) allows remote attackers to execute arbitrary code via a crafted packet, related to "improper indexing." Note while this CVE was reported against BitTorrent DHT Bootstrapt server, the same vulnerable code is available in libtorrent-rasterbar (CVE-2015-5685). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5685 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797046 ======================== Updated packages in core/updates_testing: ======================== libtorrent-rasterbar7-0.16.18-1.1.mga5 python-libtorrent-rasterbar-0.16.18-1.1.mga5 libtorrent-rasterbar-devel-0.16.18-1.1.mga5 from libtorrent-rasterbar-0.16.18-1.1.mga5.src.rpm
Assignee: matteo.pasotti => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
To put the (x64] packages into context for testing: lib64torrent-rasterbar7 |_qbittorrent[-nox] Client programs |_python-libtorrent-rasterbar |_deluge Client program |_miro Client program
CC: (none) => lewyssmith
MGA5-32 on Acer D620 Xfce No installation issues. Tried to use miro, but that one hangs after calling, something might be missing from my installation. Then tried "strace -o librast.txt deluge" at CLI. I tried to add a torrent to it, but failed (lack of knowledge at my side), but anyway, the strace shows libtorrent-rasterbar to be called, so OK for me.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0428.html
Status: NEW => RESOLVEDResolution: (none) => FIXED