A security issue fixed upstream in deluge has been announced: http://openwall.com/lists/oss-security/2017/05/18/9 The issue was fixed in 1.3.15. The upstream commit that fixed the issue is linked in the message above.
Package : deluge CVE ID : CVE-2017-7178 CVE-2017-9031 Two vulnerabilities have been discovered in the web interface of the Deluge BitTorrent client (directory traversal and cross-site request forgery). For the stable distribution (jessie), these problems have been fixed in version 1.3.10-3+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 1.3.13+git20161130.48cedf63-3.
CC: (none) => zombie_ryushu
The Debian advisory for this from May 18: https://www.debian.org/security/2017/dsa-3856
Thank you pointing out this. CVE-2017-7178 was fixed in deluge-1.3.11-1.1.mga5. I updated deluge with added upstream patch to fix CVE-2017-9031 Suggested advisory: ======================== Updated deluge package fix security vulnerability: The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031 http://openwall.com/lists/oss-security/2017/05/18/9 https://www.debian.org/security/2017/dsa-3856 ======================== Updated packages in core/updates_testing: ======================== deluge-1.3.11-1.2.mga5.noarch.rpm Source RPMs: deluge-1.3.11-1.2.mga5.src.rpm
Assignee: tarakbumba => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Trying M5_64, deluge updated OK to: deluge-1.3.11-1.2.mga5 Noting that this update is aimed at the *WebUI*, not the normal GTK GUI, I found: "The web interface enables access to Deluge from your browser. 1. From the GTK UI you can enable the WebUI plugin. [Edit-Preferences-WebUI: Enable and leave the main GTK window open] 2. If running the Deluge daemon deluged it is recommended not use the plugin and instead run the standalone Web UI: $ deluge -u web [which gives some warnings] Then Open the browser at http://localhost:8112" which shows a page similar to the GTK GUI; which reacts sensibly. So far so good. I tried adding a torrent quoting the Mageia 5.1 Classic Torrent URL https://www.mageia.org/en/downloads/get/?q=Mageia-5.1-x86_64-DVD.iso&torrent=1 which yielded "not a valid torrent". From the same URL Firefox showed a simpler filename Mageia-5.1-x86_64-DVD.torrent, and a mirror URL. I tried a composite URL: http://ftp.uni-erlangen.de/Mageia-5.1-x86_64-DVD.torrent but that gave 'not found'. I found that from Firefox one can 'open with Deluge' which starts the GTK GUI, but I could not get the web UI to operate (it displayed OK) in parallel for the download. If somebody could indicate a valid torrent URL to give directly to the web UI, please do. And perhaps say what you have to do to enable seeding to others?
CC: (none) => lewyssmith
MGA5-32 on Asus A6000VM Xfce No installation issues. Starting deluge from CLI gives: $ deluge /usr/lib/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification. Many valid certificate/hostname mappings may be rejected. verifyHostname, VerificationError = _selectVerifyImplementation() ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowState' as enum when in fact it is of type 'GFlags' ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowActions' as enum when in fact it is of type 'GFlags' ** (deluge:10605): WARNING **: Trying to register gtype 'WnckWindowMoveResizeMask' as enum when in fact it is of type 'GFlags' (deluge:10605): GLib-GObject-CRITICAL **: g_object_set_qdata: assertion 'G_IS_OBJECT (object)' failed and a lot more of those. I will try to find out about this "service_identity" module.
CC: (none) => herman.viaene
RPMfind.net tells me that the package "python-srvice-identity" exists for MGA6, I cann't find it for MGA5. Trying to install the mga6 results (of course) in an abort for unfulfilled dependencies.
@lewis: not sure what you were wanting in the way of a url; maybe something like this? http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/iso/cauldron/torrents/Mageia-6-rc-x86_64-DVD.torrent
CC: (none) => tarazed25
Thanks Len for that link. Just what was needed in the end. Trying again: $ deluge -u web /usr/lib64/python2.7/site-packages/twisted/internet/_sslverify.py:184: UserWarning: You do not have the service_identity module installed. Please install it from <https://pypi.python.org/pypi/service_identity>. Without the service_identity module and a recent enough pyOpenSSL tosupport it, Twisted can perform only rudimentary TLS client hostnameverification. Many valid certificate/hostname mappings may be rejected. verifyHostname, VerificationError = _selectVerifyImplementation() Pointing a browser at localhost:8112 displays a correct page, with several buttons greyed; and a login password window. Fortunately this accepts the local user password. Which then pops up a Connection Manager window showing: - status: offline - host: 127.0.0.1:58846 Clicking 'Add' pops up an Add Connection dialogue asking for host, port (58846), Username, Password. Accepts (duplicate) localhost, user, PW fields. I am sure this web interface works if you know how to drive it (same for the GTK UI). In fact random clicking changed the localhost Connection Manager status to 'online', at which point the main window top buttons became active. I was then able to add the given download which proceded as per the GTK UI, alive & cicking. Able to pause & delete it OK. Enough for an OK.
Whiteboard: advisory => advisory MGA5-64-OK
Trying this out in an i586 virtualbox. Installed the default package and then updated it. Ran deluge from the commandline to demonstrate that the interface could be launched then tried $ deluge -u web and localhost:8112 in a browser. The login window comes up but fails on the user password. Went back to the GTK interface and made sure that Web UI was enabled. Tried again -> failed. There is no deluged daemon. It cannot be enabled and started and does not run by default either. Have to give up on this. Maybe it needs real 32-bit hardware.
With the torrent link Len provides in Comment 7, I get deluge to download OK (deluge command at CLI as normal user) However as normal user: deluge -u web gives the "service-identity" error and the just hangs and browser at localhost:8112 gives no connection. There is a deluged command that also hangs like the web command as above (as root) and this does not change the browser issue. But indeed systemctl does not recognize deluged. In my setup, I see no difference between the deluge and deluge-gtk commands. I wonder if I should. Enabling WebUI in deluge, gives a sensible site in localhost:8112, but I have no idea which password it wants. and deluge -u web now returns [ERROR ] 10:59:05 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:02:08 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:02:19 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:03:47 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:03:55 auth:329 Login failed (ClientIP 127.0.0.1) [ERROR ] 11:04:02 auth:329 Login failed (ClientIP 127.0.0.1) I think that all these problems have more to do with my lack of understanding deluge than with genuine problems in the tool.
@Len Herman: thank you both for your persistance. See Comment 8 for the Web GUI. $ deluge -u web seems the surest way to start it; I do not think the GTK UI matters here. My normal user password worked for the first pop-up dialogue. Adding [connection] the same localhost/given port/local usr/local password seemed to bring to life the top buttons after which I could add the download URL Len gave, and everything seemed to work correctly. That manoeuvre is probably unnecessary, but it was the only way I could get past the pop-up dialogues. The main doubt seems to be the authentification issue (comments 5 & 8). Does this matter? Asking Zombie/Atilla for feedback. If it does not matter, we should validate this because nothing nasty happens, and the thing can be made to run sensibly - if you know how. We all seem to believe it will/does work OK if correctly driven.
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK feedback
Atilla, please make sure that you are CC'd when you assign a bug to QA. Lewis needs your feedback on something here.
CC: (none) => tarakbumba
Sorry for late reply. I thought bugzilla always adds commentors or assignees to cc list. Lewis, it's ok for now. Authentication issue comes from deluged not initialized. But i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now.Please wait for update. Regarding to service_identity warning, it's ok. We don't have that package on Mga 5.
I updated deluge package to fix problems seen here. Now we have required systemd service files in place. Be sure that start deluge-daemon service before testing. Suggested advisory: ======================== Updated deluge package fix security vulnerability: The WebUI component in Deluge before 1.3.15 contains a directory traversal vulnerability involving a request in which the name of the render file is not associated with any template file(CVE-2017-9031). Updated deluge package adds systemd services required to autostart deluge daemon and web services. Note that these services not enabled by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9031 http://openwall.com/lists/oss-security/2017/05/18/9 https://www.debian.org/security/2017/dsa-3856 https://bugs.mageia.org/show_bug.cgi?id=20895 ======================== Updated packages in core/updates_testing: ======================== deluge-1.3.11-1.3.mga5.noarch.rpm Source RPMs: deluge-1.3.11-1.3.mga5.src.rpm
We forgot to remove the feedback marker - the update candidate is ready for new tests since comment 14.
Whiteboard: advisory MGA5-64-OK feedback => (none)
MGA5-32 on Asus A6000VM Xfce No installation issues. Refering to Comment 14 checked in MCC for deluge services, found deluge-daemon and deluge-web, both not running. At CLI as root: # systemctl start deluge-daemon.service # systemctl -l status deluge-daemon.service â deluge-daemon.service - Deluge Bittorrent Client Daemon Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; disabled) Active: failed (Result: exit-code) since do 2017-08-10 15:52:10 CEST; 37s ago Process: 606 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER) Main PID: 606 (code=exited, status=217/USER) aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state. aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed. and # systemctl start deluge-web # systemctl status deluge-web â deluge-web.service - Deluge Bittorrent Client Web Interface Loaded: loaded (/usr/lib/systemd/system/deluge-web.service; disabled) Active: failed (Result: exit-code) since do 2017-08-10 15:53:33 CEST; 4s ago Process: 704 ExecStart=/usr/bin/deluge-web (code=exited, status=217/USER) Main PID: 704 (code=exited, status=217/USER) aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service: main process exited, code=exited, stat...USER aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: Unit deluge-web.service entered failed state. aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service failed. Hint: Some lines were ellipsized, use -l to show in full. try to get more info: # journalctl -b | grep deluge aug 10 14:51:28 mach6.hviaene.thuis msec[29515]: - Added packages : deluge-1.3.11-1.3.mga5 aug 10 14:51:28 mach6.hviaene.thuis msec[29677]: - Removed packages : deluge-1.3.11-1.2.mga5 aug 10 15:52:10 mach6.hviaene.thuis systemd[606]: Failed at step USER spawning /usr/bin/deluged: No such process aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state. aug 10 15:52:10 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed. aug 10 15:53:33 mach6.hviaene.thuis systemd[704]: Failed at step USER spawning /usr/bin/deluge-web: No such process aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service: main process exited, code=exited, status=217/USER aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: Unit deluge-web.service entered failed state. aug 10 15:53:33 mach6.hviaene.thuis systemd[1]: deluge-web.service failed. Does not make me any wiser.
Herman, have you tried $ systemctl enable deluge-daemon.service That disabled looks suspicious.
# systemctl enable deluge-daemon.service Created symlink from /etc/systemd/system/multi-user.target.wants/deluge-daemon.service to /usr/lib/systemd/system/deluge-daemon.service. # systemctl status deluge-daemon.service â deluge-daemon.service - Deluge Bittorrent Client Daemon Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; enabled) Active: inactive (dead) # systemctl start deluge-daemon.service # systemctl status deluge-daemon.service â deluge-daemon.service - Deluge Bittorrent Client Daemon Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; enabled) Active: failed (Result: exit-code) since za 2017-08-26 10:11:24 CEST; 3s ago Process: 6871 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER) Main PID: 6871 (code=exited, status=217/USER) aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, sta...USER aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state. aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed. Hint: Some lines were ellipsized, use -l to show in full. # journalctl -b | grep deluge aug 26 10:11:24 mach6.hviaene.thuis systemd[6871]: Failed at step USER spawning /usr/bin/deluged: No such process aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service: main process exited, code=exited, status=217/USER aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: Unit deluge-daemon.service entered failed state. aug 26 10:11:24 mach6.hviaene.thuis systemd[1]: deluge-daemon.service failed. I get similar results for deluge-web
re-Testing M5/64 From Comment 13: "i realized that we missed needed systemd services to auto start deluge daemon (daemon). I'm working on that now." UPDATED to: deluge-1.3.11-1.3.mga5 To test the daemons, I re-booted. Neither of: deluge-daemon deluge web is running, nor marked for starting. In accordance with Comment 14: "Note that these services not enabled by default." So, either via MCC-System-Services, or # systemctl start deluge-daemon # systemctl status deluge-daemon ● deluge-daemon.service - Deluge Bittorrent Client Daemon Loaded: loaded (/usr/lib/systemd/system/deluge-daemon.service; disabled) Active: failed (Result: exit-code) since Gwe 2017-09-08 11:31:52 CEST; 13s ago Process: 4109 ExecStart=/usr/bin/deluged -d (code=exited, status=217/USER) Main PID: 4109 (code=exited, status=217/USER) Med 08 11:31:52 localhost.localdomain systemd[1]: deluge-daemon.service: main... Med 08 11:31:52 localhost.localdomain systemd[1]: Unit deluge-daemon.service ... Med 08 11:31:52 localhost.localdomain systemd[1]: deluge-daemon.service failed. Not so good. # systemctl start deluge-web # systemctl status deluge-web ● deluge-web.service - Deluge Bittorrent Client Web Interface Loaded: loaded (/usr/lib/systemd/system/deluge-web.service; disabled) Active: failed (Result: exit-code) since Gwe 2017-09-08 11:32:24 CEST; 11s ago Process: 4150 ExecStart=/usr/bin/deluge-web (code=exited, status=217/USER) Main PID: 4150 (code=exited, status=217/USER) Med 08 11:32:24 localhost.localdomain systemd[1]: deluge-web.service: main pr... Med 08 11:32:24 localhost.localdomain systemd[1]: Unit deluge-web.service ent... Med 08 11:32:24 localhost.localdomain systemd[1]: deluge-web.service failed. Not so good. Neither did the 'start' button in MCC-Sysytem-Services work for either. Confirms what Herman found above. Asking for feedback again. Leaving the advisory for the moment.
Keywords: (none) => feedback