16795 – libtorrent-rasterbar new security issue CVE-2015-5685

Bug 16795 - libtorrent-rasterbar new security issue CVE-2015-5685

Summary: libtorrent-rasterbar new security issue CVE-2015-5685

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/657990/
Whiteboard:	advisory MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-09-21 20:27 CEST by David Walser
Modified:	2015-11-05 23:46 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libtorrent-rasterbar-0.16.18-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-09-21 20:27:20 CEST

Debian-LTS has issued an advisory on September 20:
http://lwn.net/Alerts/657975/

According to the Debian bug, it was fixed upstream in 1.0.6 (so Cauldron is fine), and they have a link to the upstream commit to fix it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797046

Reproducible: 

Steps to Reproduce:

Comment 1 David GEIGER 2015-10-25 17:30:46 CET

@David:

I just tried to fix libtorrent-rasterbar-0.16.18-1.mga5 but unsuccessfully.

http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20151025162015.daviddavid.valstar.20672/log/libtorrent-rasterbar-0.16.18-1.1.mga5/build.0.20151025162029.log

CC: (none) => geiger.david68210

Comment 2 David Walser 2015-10-25 17:32:39 CET

I guess the patch needs to be adapted or it's dependent on some other intermediate commit.

Comment 3 David GEIGER 2015-10-25 18:33:02 CET

So ok done! :)

libtorrent-rasterbar-0.16.18 from mga5 is now fixed.

Comment 4 David Walser 2015-10-25 18:42:57 CET

Nice job David, thanks!

Advisory:
========================

Updated libtorrent-rasterbar packages fix security vulnerability:

The lazy_bdecode function in BitTorrent DHT bootstrap server (bootstrap-dht )
allows remote attackers to execute arbitrary code via a crafted packet,
related to "improper indexing." Note while this CVE was reported against
BitTorrent DHT Bootstrapt server, the same vulnerable code is available in
libtorrent-rasterbar (CVE-2015-5685).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5685
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797046
========================

Updated packages in core/updates_testing:
========================
libtorrent-rasterbar7-0.16.18-1.1.mga5
python-libtorrent-rasterbar-0.16.18-1.1.mga5
libtorrent-rasterbar-devel-0.16.18-1.1.mga5

from libtorrent-rasterbar-0.16.18-1.1.mga5.src.rpm

Assignee: matteo.pasotti => qa-bugs

Dave Hodgins 2015-10-25 23:14:41 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Lewis Smith 2015-10-28 11:49:37 CET

To put the (x64] packages into context for testing:

lib64torrent-rasterbar7
|_qbittorrent[-nox]         Client programs
|_python-libtorrent-rasterbar
  |_deluge                 Client program
  |_miro                   Client program

CC: (none) => lewyssmith

Comment 6 Herman Viaene 2015-11-03 14:17:44 CET

MGA5-32 on Acer D620 Xfce
No installation issues.
Tried to use miro, but that one hangs after calling, something might be missing from my installation.
Then tried "strace -o librast.txt deluge" at CLI.
I tried to add a torrent to it, but failed (lack of knowledge at my side), but anyway, the strace shows libtorrent-rasterbar to be called, so OK for me.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Dave Hodgins 2015-11-05 22:02:39 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-11-05 23:46:55 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0428.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.