Bug 20895 - deluge new security issue CVE-2017-9031
Summary: deluge new security issue CVE-2017-9031
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK feedback
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-20 12:29 CEST by David Walser
Modified: 2017-06-15 23:30 CEST (History)
6 users (show)

See Also:
Source RPM: deluge-1.3.11-1.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-05-20 12:29:27 CEST
A security issue fixed upstream in deluge has been announced:
http://openwall.com/lists/oss-security/2017/05/18/9

The issue was fixed in 1.3.15.  The upstream commit that fixed the issue is linked in the message above.
Comment 1 Zombie Ryushu 2017-05-20 13:34:43 CEST
Package        : deluge
CVE ID         : CVE-2017-7178 CVE-2017-9031

Two vulnerabilities have been discovered in the web interface of the
Deluge BitTorrent client (directory traversal and cross-site request
forgery).

For the stable distribution (jessie), these problems have been fixed in
version 1.3.10-3+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.13+git20161130.48cedf63-3.
Comment 2 David Walser 2017-05-20 22:24:11 CEST
The Debian advisory for this from May 18:
https://www.debian.org/security/2017/dsa-3856
Comment 3 Atilla ÖNTAŞ 2017-05-21 20:20:54 CEST
Thank you pointing out this. CVE-2017-7178 was fixed in deluge-1.3.11-1.1.mga5. I updated deluge with added upstream patch to fix CVE-2017-9031

Suggested advisory:
========================

Updated deluge package fix security vulnerability:

The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031
http://openwall.com/lists/oss-security/2017/05/18/9
https://www.debian.org/security/2017/dsa-3856
========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.2.mga5.noarch.rpm

Source RPMs: 
deluge-1.3.11-1.2.mga5.src.rpm
Comment 4 Lewis Smith 2017-05-30 22:32:54 CEST
Trying M5_64, deluge updated OK to: deluge-1.3.11-1.2.mga5

Noting that this update is aimed at the *WebUI*, not the normal GTK GUI, I found:

"The web interface enables access to Deluge from your browser. 
1. From the GTK UI you can enable the WebUI plugin.
[Edit-Preferences-WebUI: Enable        and leave the main GTK window open]
2. If running the Deluge daemon deluged it is recommended not use the plugin and instead run the standalone Web UI:
 $ deluge -u web         [which gives some warnings]
Then
 Open the browser at http://localhost:8112"
which shows a page similar to the GTK GUI; which reacts sensibly. So far so good.

I tried adding a torrent quoting the Mageia 5.1 Classic Torrent URL
 https://www.mageia.org/en/downloads/get/?q=Mageia-5.1-x86_64-DVD.iso&torrent=1
which yielded "not a valid torrent". From the same URL Firefox showed a simpler filename Mageia-5.1-x86_64-DVD.torrent, and a mirror URL. I tried a composite URL:
 http://ftp.uni-erlangen.de/Mageia-5.1-x86_64-DVD.torrent
but that gave 'not found'. I found that from Firefox one can 'open with Deluge' which starts the GTK GUI, but I could not get the web UI to operate (it displayed OK) in parallel for the download.

If somebody could indicate a valid torrent URL to give directly to the web UI, please do. And perhaps say what you have to do to enable seeding to others?
Comment 5 Herman Viaene 2017-05-31 16:25:09 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Starting deluge from CLI gives:
$ deluge
/usr/lib/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification.  Many valid certificate/hostname mappings may be rejected.
  verifyHostname, VerificationError = _selectVerifyImplementation()

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowState' as enum when in fact it is of type 'GFlags'

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowActions' as enum when in fact it is of type 'GFlags'

** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowMoveResizeMask' as enum when in fact it is of type 'GFlags'

(deluge:10605): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion 'G_IS_OBJECT (object)' failed
and a lot more of those.
I will try to find out about this "service_identity" module.
Comment 6 Herman Viaene 2017-05-31 16:39:40 CEST
RPMfind.net tells me that the package "python-srvice-identity" exists for MGA6, I cann't find it for MGA5. Trying to install the mga6 results (of course) in an abort for unfulfilled dependencies.
Comment 7 Len Lawrence 2017-06-01 23:10:45 CEST
@lewis: not sure what you were wanting in the way of a url; maybe something like this? http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/iso/cauldron/torrents/Mageia-6-rc-x86_64-DVD.torrent
Comment 8 Lewis Smith 2017-06-03 09:45:23 CEST
Thanks Len for that link. Just what was needed in the end.

Trying again:
 $ deluge -u web
/usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification.  Many valid certificate/hostname mappings may be rejected.
  verifyHostname, VerificationError = _selectVerifyImplementation()

Pointing a browser at localhost:8112 displays a correct page, with several buttons greyed; and a login password window. Fortunately this accepts the local user password. Which then pops up a Connection Manager window showing:
- status: offline
- host: 127.0.0.1:58846
Clicking 'Add' pops up an Add Connection dialogue asking for host, port (58846), Username, Password. Accepts (duplicate) localhost, user, PW fields.
I am sure this web interface works if you know how to drive it (same for the GTK UI).

In fact random clicking changed the localhost Connection Manager status to 'online', at which point the main window top buttons became active. I was then able to add the given download which proceded as per the GTK UI, alive & cicking. Able to pause & delete it OK. Enough for an OK.
Comment 9 Len Lawrence 2017-06-04 17:53:18 CEST
Trying this out in an i586 virtualbox.

Installed the default package and then updated it.
Ran deluge from the commandline to demonstrate that the interface could be launched then tried
$ deluge -u web
and localhost:8112 in a browser.
The login window comes up but fails on the user password.

Went back to the GTK interface and made sure that Web UI was enabled.
Tried again -> failed.

There is no deluged daemon.  It cannot be enabled and started and does not run by default either.

Have to give up on this.  Maybe it needs real 32-bit hardware.
Comment 10 Herman Viaene 2017-06-05 11:08:17 CEST
With the torrent link Len provides in Comment 7, I get deluge to download OK (deluge command at CLI as normal user)
However as normal user: deluge -u web   gives the "service-identity" error and the just hangs
and browser at localhost:8112 gives no connection.
There is a deluged command that also hangs like the web command as above (as root) and this does not change the browser issue. But indeed systemctl does not recognize deluged.
In my setup, I see no difference between the deluge and deluge-gtk commands. I wonder if I should.
Enabling WebUI in deluge, gives a sensible site in localhost:8112, but I have no idea which password it wants.
and deluge -u web now returns
[ERROR   ] 10:59:05 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:02:08 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:02:19 auth:329 Login failed (ClientIP 127.0.0.1)

[ERROR   ] 11:03:47 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:03:55 auth:329 Login failed (ClientIP 127.0.0.1)
[ERROR   ] 11:04:02 auth:329 Login failed (ClientIP 127.0.0.1)
I think that all these problems have more to do with my lack of understanding deluge than with genuine problems in the tool.
Comment 11 Lewis Smith 2017-06-05 22:11:33 CEST
@Len Herman: thank you both for your persistance.
See Comment 8 for the Web GUI.
 $ deluge -u web
seems the surest way to start it; I do not think the GTK UI matters here. My normal user password worked for the first pop-up dialogue. Adding [connection] the same localhost/given port/local usr/local password seemed to bring to life the top buttons after which I could add the download URL Len gave, and everything seemed to work correctly. That manoeuvre is probably unnecessary, but it was the only way I could get past the pop-up dialogues.

The main doubt seems to be the authentification issue (comments 5 & 8). Does this matter? Asking Zombie/Atilla for feedback.

If it does not matter, we should validate this because nothing nasty happens, and the thing can be made to run sensibly - if you know how. We all seem to believe it will/does work OK if correctly driven.
Comment 12 David Walser 2017-06-10 14:46:11 CEST
Atilla, please make sure that you are CC'd when you assign a bug to QA.  Lewis needs your feedback on something here.
Comment 13 Atilla ÖNTAŞ 2017-06-15 23:03:57 CEST
Sorry for late reply. I thought bugzilla always adds commentors or assignees to cc list. Lewis, it's ok for now. Authentication issue comes from deluged not initialized. But i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now.Please wait for update.

Regarding to service_identity warning, it's ok. We don't have that package on Mga 5.
Comment 14 Atilla ÖNTAŞ 2017-06-15 23:30:05 CEST
I updated deluge package to fix problems seen here. Now we have required systemd service files in place. Be sure that start deluge-daemon service before testing.


Suggested advisory:
========================

Updated deluge package fix security vulnerability:

The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031).

Updated deluge package adds systemd services required to autostart deluge daemon and web services. Note that these services not enabled by default.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031
http://openwall.com/lists/oss-security/2017/05/18/9
https://www.debian.org/security/2017/dsa-3856
https://bugs.mageia.org/show_bug.cgi?id=20895
========================

Updated packages in core/updates_testing:
========================
deluge-1.3.11-1.3.mga5.noarch.rpm

Source RPMs: 
deluge-1.3.11-1.3.mga5.src.rpm

Note You need to log in before you can comment on or make changes to this bug.