Bug 20895 - deluge new security issue CVE-2017-9031
Summary: deluge new security issue CVE-2017-9031
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2017-05-20 12:29 CEST by David Walser
Modified: 2017-09-08 11:43 CEST (History)
6 users (show)

See Also:
Source RPM: deluge-1.3.11-1.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-05-20 12:29:27 CEST
A security issue fixed upstream in deluge has been announced:
http://openwall.com/lists/oss-security/2017/05/18/9

The issue was fixed in 1.3.15.  The upstream commit that fixed the issue is linked in the message above.
Comment 1 Zombie Ryushu 2017-05-20 13:34:43 CEST
Package        : deluge
CVE ID         : CVE-2017-7178 CVE-2017-9031

Two vulnerabilities have been discovered in the web interface of the
Deluge BitTorrent client (directory traversal and cross-site request
forgery).

For the stable distribution (jessie), these problems have been fixed in
version 1.3.10-3+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.13+git20161130.48cedf63-3.

CC: (none) => zombie_ryushu

Comment 2 David Walser 2017-05-20 22:24:11 CEST
The Debian advisory for this from May 18:
https://www.debian.org/security/2017/dsa-3856
Comment 3 Atilla ÖNTAŞ 2017-05-21 20:20:54 CEST
Thank you pointing out this. CVE-2017-7178 was fixed in deluge-1.3.11-1.1.mga5. I updated deluge with added upstream patch to fix CVE-2017-9031

Suggested advisory:
========================

Updated deluge package fix security vulnerability:

The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031
http://openwall.com/lists/oss-security/2017/05/18/9
https://www.debian.org/security/2017/dsa-3856
========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.2.mga5.noarch.rpm

Source RPMs: 
deluge-1.3.11-1.2.mga5.src.rpm
Atilla ÖNTAŞ 2017-05-21 20:21:46 CEST

Assignee: tarakbumba => qa-bugs

Dave Hodgins 2017-05-28 01:43:22 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 4 Lewis Smith 2017-05-30 22:32:54 CEST
Trying M5_64, deluge updated OK to: deluge-1.3.11-1.2.mga5

Noting that this update is aimed at the *WebUI*, not the normal GTK GUI, I found:

"The web interface enables access to Deluge from your browser. 
1. From the GTK UI you can enable the WebUI plugin.
[Edit-Preferences-WebUI: Enable        and leave the main GTK window open]
2. If running the Deluge daemon deluged it is recommended not use the plugin and instead run the standalone Web UI:
 $ deluge -u web         [which gives some warnings]
Then
 Open the browser at http://localhost:8112"
which shows a page similar to the GTK GUI; which reacts sensibly. So far so good.

I tried adding a torrent quoting the Mageia 5.1 Classic Torrent URL
 https://www.mageia.org/en/downloads/get/?q=Mageia-5.1-x86_64-DVD.iso&torrent=1
which yielded "not a valid torrent". From the same URL Firefox showed a simpler filename Mageia-5.1-x86_64-DVD.torrent, and a mirror URL. I tried a composite URL:
 http://ftp.uni-erlangen.de/Mageia-5.1-x86_64-DVD.torrent
but that gave 'not found'. I found that from Firefox one can 'open with Deluge' which starts the GTK GUI, but I could not get the web UI to operate (it displayed OK) in parallel for the download.

If somebody could indicate a valid torrent URL to give directly to the web UI, please do. And perhaps say what you have to do to enable seeding to others?

CC: (none) => lewyssmith

Comment 5 Herman Viaene 2017-05-31 16:25:09 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Starting deluge from CLI gives:
$ deluge
/usr/lib/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification.  Many valid certificate/hostname mappings may be rejected.
  verifyHostname, VerificationError = _selectVerifyImplementation()

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowState' as enum when in fact it is of type 'GFlags'

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowActions' as enum when in fact it is of type 'GFlags'

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowMoveResizeMask' as enum when in fact it is of type 'GFlags'

(deluge:10605): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion 'G_IS_OBJECT (object)' failed
and a lot more of those.
I will try to find out about this "service_identity" module.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2017-05-31 16:39:40 CEST
RPMfind.net tells me that the package "python-srvice-identity" exists for MGA6, I cann't find it for MGA5. Trying to install the mga6 results (of course) in an abort for unfulfilled dependencies.
Comment 7 Len Lawrence 2017-06-01 23:10:45 CEST
@lewis: not sure what you were wanting in the way of a url; maybe something like this? http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/iso/cauldron/torrents/Mageia-6-rc-x86_64-DVD.torrent

CC: (none) => tarazed25

Comment 8 Lewis Smith 2017-06-03 09:45:23 CEST
Thanks Len for that link. Just what was needed in the end.

Trying again:
 $ deluge -u web
/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification.  Many valid certificate/hostname mappings may be rejected.
  verifyHostname, VerificationError = _selectVerifyImplementation()

Pointing a browser at localhost:8112 displays a correct page, with several buttons greyed; and a login password window. Fortunately this accepts the local user password. Which then pops up a Connection Manager window showing:
- status: offline
- host: 127.0.0.1:58846
Clicking 'Add' pops up an Add Connection dialogue asking for host, port (58846), Username, Password. Accepts (duplicate) localhost, user, PW fields.
I am sure this web interface works if you know how to drive it (same for the GTK UI).

In fact random clicking changed the localhost Connection Manager status to 'online', at which point the main window top buttons became active. I was then able to add the given download which proceded as per the GTK UI, alive & cicking. Able to pause & delete it OK. Enough for an OK.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 9 Len Lawrence 2017-06-04 17:53:18 CEST
Trying this out in an i586 virtualbox.

Installed the default package and then updated it.
Ran deluge from the commandline to demonstrate that the interface could be launched then tried
$ deluge -u web
and localhost:8112 in a browser.
The login window comes up but fails on the user password.

Went back to the GTK interface and made sure that Web UI was enabled.
Tried again -> failed.

There is no deluged daemon.  It cannot be enabled and started and does not run by default either.

Have to give up on this.  Maybe it needs real 32-bit hardware.
Comment 10 Herman Viaene 2017-06-05 11:08:17 CEST
With the torrent link Len provides in Comment 7, I get deluge to download OK (deluge command at CLI as normal user)
However as normal user: deluge -u web   gives the "service-identity" error and the just hangs
and browser at localhost:8112 gives no connection.
There is a deluged command that also hangs like the web command as above (as root) and this does not change the browser issue. But indeed systemctl does not recognize deluged.
In my setup, I see no difference between the deluge and deluge-gtk commands. I wonder if I should.
Enabling WebUI in deluge, gives a sensible site in localhost:8112, but I have no idea which password it wants.
and deluge -u web now returns
[ERROR   ] 10:59:05 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:02:08 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:02:19 auth:329 Login failed (ClientIP 127.0.0.1)

[ERROR   ] 11:03:47 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:03:55 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:04:02 auth:329 Login failed (ClientIP 127.0.0.1)
I think that all these problems have more to do with my lack of understanding deluge than with genuine problems in the tool.
Comment 11 Lewis Smith 2017-06-05 22:11:33 CEST
@Len Herman: thank you both for your persistance.
See Comment 8 for the Web GUI.
 $ deluge -u web
seems the surest way to start it; I do not think the GTK UI matters here. My normal user password worked for the first pop-up dialogue. Adding [connection] the same localhost/given port/local usr/local password seemed to bring to life the top buttons after which I could add the download URL Len gave, and everything seemed to work correctly. That manoeuvre is probably unnecessary, but it was the only way I could get past the pop-up dialogues.

The main doubt seems to be the authentification issue (comments 5 & 8). Does this matter? Asking Zombie/Atilla for feedback.

If it does not matter, we should validate this because nothing nasty happens, and the thing can be made to run sensibly - if you know how. We all seem to believe it will/does work OK if correctly driven.

Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK feedback

Comment 12 David Walser 2017-06-10 14:46:11 CEST
Atilla, please make sure that you are CC'd when you assign a bug to QA.  Lewis needs your feedback on something here.

CC: (none) => tarakbumba

Comment 13 Atilla ÖNTAŞ 2017-06-15 23:03:57 CEST
Sorry for late reply. I thought bugzilla always adds commentors or assignees to cc list. Lewis, it's ok for now. Authentication issue comes from deluged not initialized. But i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now.Please wait for update.

Regarding to service_identity warning, it's ok. We don't have that package on Mga 5.
Comment 14 Atilla ÖNTAŞ 2017-06-15 23:30:05 CEST
I updated deluge package to fix problems seen here. Now we have required systemd service files in place. Be sure that start deluge-daemon service before testing.


Suggested advisory:
========================

Updated deluge package fix security vulnerability:

The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031).

Updated deluge package adds systemd services required to autostart deluge daemon and web services. Note that these services not enabled by default.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031
http://openwall.com/lists/oss-security/2017/05/18/9
https://www.debian.org/security/2017/dsa-3856
https://bugs.mageia.org/show_bug.cgi?id=20895
========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.3.mga5.noarch.rpm

Source RPMs: 
deluge-1.3.11-1.3.mga5.src.rpm
Comment 15 Rémi Verschelde 2017-08-03 10:16:04 CEST
We forgot to remove the feedback marker - the update candidate is ready for new tests since comment 14.

Whiteboard: advisory MGA5-64-OK feedback => (none)

Comment 16 Herman Viaene 2017-08-10 16:02:44 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Refering to Comment 14 checked in MCC for deluge services, found deluge-daemon and deluge-web, both not running.
At CLI as root:
# systemctl start deluge-daemon.service 
# systemctl -l status deluge-daemon.service 
â deluge-daemon.service - Deluge Bittorrent Client Daemon
   Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; disabled)
   Active: failed (Result: exit-code) since do 2017-08-10 15:52:10 CEST; 37s ago
  Process: 606 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER)
 Main PID: 606 (code=exited, status=217/USER)

aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER
aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state.
aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed.

and 

# systemctl start deluge-web
# systemctl status deluge-web
â deluge-web.service - Deluge Bittorrent Client Web Interface
   Loaded: loaded (/usr/lib/systemd/system/deluge-web.service; disabled)
   Active: failed (Result: exit-code) since do 2017-08-10 15:53:33 CEST; 4s ago
  Process: 704 ExecStart=/usr/bin/deluge-web (code=exited, status=217/USER)
 Main PID: 704 (code=exited, status=217/USER)

aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service: main process exited, code=exited, stat...USER
aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: Unit deluge-web.service entered failed state.
aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

try to get more info:
# journalctl -b | grep deluge
aug 10 14:51:28 mach6.hviaene.thuis msec[29515]: -   Added packages : deluge-1.3.11-1.3.mga5
aug 10 14:51:28 mach6.hviaene.thuis msec[29677]: - Removed packages : deluge-1.3.11-1.2.mga5
aug 10 15:52:10 mach6.hviaene.thuis systemd[606]: Failed at step USER spawning /usr/bin/deluged: No such process
aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER
aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state.
aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed.
aug 10 15:53:33 mach6.hviaene.thuis systemd[704]: Failed at step USER spawning /usr/bin/deluge-web: No such process
aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service: main process exited, code=exited, status=217/USER
aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: Unit deluge-web.service entered failed state.
aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service failed.
Does not make me any wiser.
Comment 17 Len Lawrence 2017-08-26 00:22:15 CEST
Herman, have you tried 
$ systemctl enable deluge-daemon.service

That disabled looks suspicious.
Comment 18 Herman Viaene 2017-08-26 10:22:53 CEST
# systemctl enable deluge-daemon.service
Created symlink from /etc/systemd/system/multi-user.target.wants/deluge-daemon.service to /usr/lib/systemd/system/deluge-daemon.service.
# systemctl status deluge-daemon.service
â deluge-daemon.service - Deluge Bittorrent Client Daemon
   Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; enabled)
   Active: inactive (dead)
# systemctl start deluge-daemon.service
# systemctl status deluge-daemon.service
â deluge-daemon.service - Deluge Bittorrent Client Daemon
   Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; enabled)
   Active: failed (Result: exit-code) since za 2017-08-26 10:11:24 CEST; 3s ago
  Process: 6871 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER)
 Main PID: 6871 (code=exited, status=217/USER)

aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, sta...USER
aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state.
aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
# journalctl -b | grep deluge
aug 26 10:11:24 mach6.hviaene.thuis systemd[6871]: Failed at step USER spawning /usr/bin/deluged: No such process
aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER
aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state.
aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed.

I get similar results for deluge-web
Comment 19 Lewis Smith 2017-09-08 11:43:26 CEST
re-Testing M5/64

From Comment 13: "i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now."
UPDATED to: deluge-1.3.11-1.3.mga5

To test the daemons, I re-booted. Neither of:
 deluge-daemon
 deluge web
is running, nor marked for starting. In accordance with Comment 14: "Note that these services not enabled by default."
So, either via MCC-System-Services, or
 # systemctl start deluge-daemon
 # systemctl status deluge-daemon
● deluge-daemon.service - Deluge Bittorrent Client Daemon
   Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; disabled)
   Active: failed (Result: exit-code) since Gwe 2017-09-08 11:31:52 CEST; 13s ago
  Process: 4109 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER)
 Main PID: 4109 (code=exited, status=217/USER)
Med 08 11:31:52 localhost.localdomain systemd[1]: deluge-daemon.service: main...
Med 08 11:31:52 localhost.localdomain systemd[1]: Unit deluge-daemon.service ...
Med 08 11:31:52 localhost.localdomain systemd[1]: deluge-daemon.service failed.
Not so good.

 # systemctl start deluge-web
 # systemctl status deluge-web
● deluge-web.service - Deluge Bittorrent Client Web Interface
   Loaded: loaded (/usr/lib/systemd/system/deluge-web.service; disabled)
   Active: failed (Result: exit-code) since Gwe 2017-09-08 11:32:24 CEST; 11s ago
  Process: 4150 ExecStart=/usr/bin/deluge-web (code=exited, status=217/USER)
 Main PID: 4150 (code=exited, status=217/USER)
Med 08 11:32:24 localhost.localdomain systemd[1]: deluge-web.service: main pr...
Med 08 11:32:24 localhost.localdomain systemd[1]: Unit deluge-web.service ent...
Med 08 11:32:24 localhost.localdomain systemd[1]: deluge-web.service failed.
Not so good.

Neither did the 'start' button in MCC-Sysytem-Services work for either.
Confirms what Herman found above. Asking for feedback again. Leaving the advisory for the moment.

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.