Bug 26656 - transmission new security issue CVE-2018-10756
Summary: transmission new security issue CVE-2018-10756
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-05-21 00:36 CEST by David Walser
Modified: 2020-05-27 11:54 CEST (History)
7 users (show)

See Also:
Source RPM: transmission-2.94-6.mga8.src.rpm
Status comment:


Description David Walser 2020-05-21 00:36:49 CEST
Fedora has issued an advisory today (May 20):

The issue is fixed upstream in 3.00.

Fedora backported a patch to 2.94:

Mageia 7 is also affected.
David Walser 2020-05-21 00:37:09 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Fedora

Comment 1 David GEIGER 2020-05-21 07:33:30 CEST
Done for both Cauldron and mga7!
Comment 2 David Walser 2020-05-21 14:29:09 CEST

Updated transmission packages fix security vulnerability:

Use-after-free in libtransmission/variant.c in Transmission before 3.00 allows
remote attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted torrent file (CVE-2018-10756).


Updated packages in core/updates_testing:

from transmission-2.94-4.1.mga7.src.rpm

Status comment: Patch available from Fedora => (none)
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 7
CC: (none) => geiger.david68210
Whiteboard: MGA7TOO => (none)

Comment 3 Shlomi Fish 2020-05-21 15:33:15 CEST
CheeseEBoi reports that the update worked for him on mageia 7 x64:

<CheeseEBoi> rindolf: hey so I'm trying to see about doing some QA for the rcent transmission updates but I don't have access to the whiteboard of the bug. Am I missing something here?
<rindolf> CheeseEBoi: hi
<rindolf> CheeseEBoi: it may require bugzilla privileges
<CheeseEBoi> rindolf: yeah that's what I thought
<CheeseEBoi> rindolf: but it is still a requirement for graduation, so how do I get them?
<rindolf> CheeseEBoi: we can do it for you
<CheeseEBoi> rindolf: oh okay. So what should I do for that? To give some info, the update installed correctly and I did a test torrent and everything seemed fine.
<rindolf> CheeseEBoi: ah
<rindolf> CheeseEBoi: what is the bug url?
<CheeseEBoi> rindolf: https://bugs.mageia.org/show_bug.cgi?id=26656
<CheeseEBoi> rindolf: I can comment all that info too, I guess
<CheeseEBoi> rindolf: but I cannot add MGA7-64-OK to the whiteboard

CC: (none) => shlomif
Whiteboard: (none) => MGA7-64-OK

Elliot L 2020-05-21 15:40:44 CEST

CC: (none) => CheeseEBoi

Comment 4 Thomas Andrews 2020-05-26 03:30:34 CEST
Validating. Advisory in Comment 2.

CheesEBoi, we'll see if we can get you those editing privileges. QA needs all the help we can get!

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Dave Hodgins 2020-05-26 07:49:11 CEST
Editing privileges granted for Elliot. Thanks for helping out.

CC: (none) => davidwhodgins

Comment 6 Elliot L 2020-05-26 15:07:40 CEST
Thank you both!
Nicolas Lécureuil 2020-05-27 11:15:51 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-05-27 11:54:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.