A security issue fixed upstream in deluge has been announced: http://openwall.com/lists/oss-security/2017/05/18/9 The issue was fixed in 1.3.15. The upstream commit that fixed the issue is linked in the message above.
Package : deluge CVE ID : CVE-2017-7178 CVE-2017-9031 Two vulnerabilities have been discovered in the web interface of the Deluge BitTorrent client (directory traversal and cross-site request forgery). For the stable distribution (jessie), these problems have been fixed in version 1.3.10-3+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 1.3.13+git20161130.48cedf63-3.
The Debian advisory for this from May 18: https://www.debian.org/security/2017/dsa-3856
Thank you pointing out this. CVE-2017-7178 was fixed in deluge-1.3.11-1.1.mga5. I updated deluge with added upstream patch to fix CVE-2017-9031 Suggested advisory: ======================== Updated deluge package fix security vulnerability: The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031 http://openwall.com/lists/oss-security/2017/05/18/9 https://www.debian.org/security/2017/dsa-3856 ======================== Updated packages in core/updates_testing: ======================== deluge-1.3.11-1.2.mga5.noarch.rpm Source RPMs: deluge-1.3.11-1.2.mga5.src.rpm
Trying M5_64, deluge updated OK to: deluge-1.3.11-1.2.mga5 Noting that this update is aimed at the *WebUI*, not the normal GTK GUI, I found: "The web interface enables access to Deluge from your browser. 1. From the GTK UI you can enable the WebUI plugin. [Edit-Preferences-WebUI: Enable and leave the main GTK window open] 2. If running the Deluge daemon deluged it is recommended not use the plugin and instead run the standalone Web UI: $ deluge -u web [which gives some warnings] Then Open the browser at http://localhost:8112" which shows a page similar to the GTK GUI; which reacts sensibly. So far so good. I tried adding a torrent quoting the Mageia 5.1 Classic Torrent URL https://www.mageia.org/en/downloads/get/?q=Mageia-5.1-x86_64-DVD.iso&torrent=1 which yielded "not a valid torrent". From the same URL Firefox showed a simpler filename Mageia-5.1-x86_64-DVD.torrent, and a mirror URL. I tried a composite URL: http://ftp.uni-erlangen.de/Mageia-5.1-x86_64-DVD.torrent but that gave 'not found'. I found that from Firefox one can 'open with Deluge' which starts the GTK GUI, but I could not get the web UI to operate (it displayed OK) in parallel for the download. If somebody could indicate a valid torrent URL to give directly to the web UI, please do. And perhaps say what you have to do to enable seeding to others?
MGA5-32 on Asus A6000VM Xfce No installation issues. Starting deluge from CLI gives: $ deluge /usr/lib/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification. Many valid certificate/hostname mappings may be rejected. verifyHostname, VerificationError = _selectVerifyImplementation() ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowState' as enum when in fact it is of type 'GFlags' ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowActions' as enum when in fact it is of type 'GFlags' ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowMoveResizeMask' as enum when in fact it is of type 'GFlags' (deluge:10605): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion 'G_IS_OBJECT (object)' failed and a lot more of those. I will try to find out about this "service_identity" module.
RPMfind.net tells me that the package "python-srvice-identity" exists for MGA6, I cann't find it for MGA5. Trying to install the mga6 results (of course) in an abort for unfulfilled dependencies.
@lewis: not sure what you were wanting in the way of a url; maybe something like this? http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/iso/cauldron/torrents/Mageia-6-rc-x86_64-DVD.torrent
Thanks Len for that link. Just what was needed in the end. Trying again: $ deluge -u web /usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification. Many valid certificate/hostname mappings may be rejected. verifyHostname, VerificationError = _selectVerifyImplementation() Pointing a browser at localhost:8112 displays a correct page, with several buttons greyed; and a login password window. Fortunately this accepts the local user password. Which then pops up a Connection Manager window showing: - status: offline - host: 127.0.0.1:58846 Clicking 'Add' pops up an Add Connection dialogue asking for host, port (58846), Username, Password. Accepts (duplicate) localhost, user, PW fields. I am sure this web interface works if you know how to drive it (same for the GTK UI). In fact random clicking changed the localhost Connection Manager status to 'online', at which point the main window top buttons became active. I was then able to add the given download which proceded as per the GTK UI, alive & cicking. Able to pause & delete it OK. Enough for an OK.
Trying this out in an i586 virtualbox. Installed the default package and then updated it. Ran deluge from the commandline to demonstrate that the interface could be launched then tried $ deluge -u web and localhost:8112 in a browser. The login window comes up but fails on the user password. Went back to the GTK interface and made sure that Web UI was enabled. Tried again -> failed. There is no deluged daemon. It cannot be enabled and started and does not run by default either. Have to give up on this. Maybe it needs real 32-bit hardware.
With the torrent link Len provides in Comment 7, I get deluge to download OK (deluge command at CLI as normal user) However as normal user: deluge -u web gives the "service-identity" error and the just hangs and browser at localhost:8112 gives no connection. There is a deluged command that also hangs like the web command as above (as root) and this does not change the browser issue. But indeed systemctl does not recognize deluged. In my setup, I see no difference between the deluge and deluge-gtk commands. I wonder if I should. Enabling WebUI in deluge, gives a sensible site in localhost:8112, but I have no idea which password it wants. and deluge -u web now returns [ERROR ] 10:59:05 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:02:08 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:02:19 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:03:47 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:03:55 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:04:02 auth:329 Login failed (ClientIP 127.0.0.1) I think that all these problems have more to do with my lack of understanding deluge than with genuine problems in the tool.
@Len Herman: thank you both for your persistance. See Comment 8 for the Web GUI. $ deluge -u web seems the surest way to start it; I do not think the GTK UI matters here. My normal user password worked for the first pop-up dialogue. Adding [connection] the same localhost/given port/local usr/local password seemed to bring to life the top buttons after which I could add the download URL Len gave, and everything seemed to work correctly. That manoeuvre is probably unnecessary, but it was the only way I could get past the pop-up dialogues. The main doubt seems to be the authentification issue (comments 5 & 8). Does this matter? Asking Zombie/Atilla for feedback. If it does not matter, we should validate this because nothing nasty happens, and the thing can be made to run sensibly - if you know how. We all seem to believe it will/does work OK if correctly driven.
Atilla, please make sure that you are CC'd when you assign a bug to QA. Lewis needs your feedback on something here.
Sorry for late reply. I thought bugzilla always adds commentors or assignees to cc list. Lewis, it's ok for now. Authentication issue comes from deluged not initialized. But i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now.Please wait for update. Regarding to service_identity warning, it's ok. We don't have that package on Mga 5.
I updated deluge package to fix problems seen here. Now we have required systemd service files in place. Be sure that start deluge-daemon service before testing. Suggested advisory: ======================== Updated deluge package fix security vulnerability: The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031). Updated deluge package adds systemd services required to autostart deluge daemon and web services. Note that these services not enabled by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031 http://openwall.com/lists/oss-security/2017/05/18/9 https://www.debian.org/security/2017/dsa-3856 https://bugs.mageia.org/show_bug.cgi?id=20895 ======================== Updated packages in core/updates_testing: ======================== deluge-1.3.11-1.3.mga5.noarch.rpm Source RPMs: deluge-1.3.11-1.3.mga5.src.rpm