Ubuntu has issued an advisory today (September 26): http://www.ubuntu.com/usn/usn-1584-1/ According to the CVE entry, it's fixed upstream in 2.61, which is in Cauldron. Ubuntu should have a patch for 2.51, which we have in Mageia 2. Ubuntu wasn't able to reproduce the issue with 2.33 and 2.13, so Mageia 1 may not be affected.
CC: (none) => olav
Package available in core/update_testing.
Status: NEW => ASSIGNEDHardware: i586 => AllAssignee: mageia => qa-bugsSummary: transmission new security issue CVE-2012-4037 => [Update Request] transmission - new security issue CVE-2012-4037Source RPM: transmission-2.51-1.mga2.src.rpm => transmission-2.51-1.1.mga2.src.rpm
Thanks Damien! Advisory: ======================== Updated transmission packages fix security vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in the web client in Transmission before 2.61 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) created by, or (3) name field in a torrent file (CVE-2012-4037). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037 http://www.ubuntu.com/usn/usn-1584-1/ ======================== Updated packages in core/updates_testing: ======================== transmission-common-2.51-1.1.mga2 transmission-cli-2.51-1.1.mga2 transmission-gtk-2.51-1.1.mga2 transmission-qt4-2.51-1.1.mga2 transmission-daemon-2.51-1.1.mga2 from transmission-2.51-1.1.mga2.src.rpm
PoC: http://archives.neohapsis.com/archives/fulldisclosure/2012-07/0349.html Will try to test on x86_64
CC: (none) => marc.lattemann
the packages in Core Updates have already version 2.51-1.1. The subrel needes to be updated? However using PoC from Comment #3 (the torrents there are not working, but I've created ones with xss-code in comment section) the packages from Updates_testing do not show the vulnerability anymore. tested x86_64 and i586 for mga2
Created attachment 2935 [details] used torrent-file for testing I've uploaded the test-file I used.
testing on mga1 reveal that bug is also valid for mga1 (version 2.22-1.1 from i586) using the attached test-file.
CC: (none) => wassiWhiteboard: (none) => MGA1TOO MGA2-32-OK MGA2-64-OK
(In reply to comment #4) > the packages in Core Updates have already version 2.51-1.1. The subrel needes > to be updated? Thank you, new package available: transmission-2.51-1.2.mga2 transmission-common-2.51-1.2.mga2 transmission-cli-2.51-1.2.mga2 transmission-gtk-2.51-1.2.mga2 transmission-qt4-2.51-1.2.mga2 transmission-daemon-2.51-1.2.mga2 from transmission-2.51-1.2.mga2.src.rpm
CC: (none) => mageia
updated packages worked as expected on i586 and x86_64. The update could be validated at least for mga2. But what should be done with mga1? Should there be opened a new bug for it?
(In reply to comment #8) > updated packages worked as expected on i586 and x86_64. > > The update could be validated at least for mga2. But what should be done with > mga1? Should there be opened a new bug for it? If it is affected, we should try to fix that too before releasing this.
It looks like backporting the patch is non-trivial. It might be easier to backport 2.51 to Mageia 1.
CC: (none) => qa-bugsAssignee: qa-bugs => mageiaSummary: [Update Request] transmission - new security issue CVE-2012-4037 => transmission - new security issue CVE-2012-4037
I tried building 2.51 locally on Mageia 1. If you change the BuildRequires pkgconfig(gtk+3.0) to gtk+2-devel, it will attempt to build against gtk+2, so that's good, but it fails at "CCLD transmission-cli" linking, so I don't know how to fix that.
I will open an other bug for Mageia 1 as I need to investigate for this issue. Reassingin to QA.
Assignee: mageia => qa-bugsWhiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK => MGA2-32-OK MGA2-64-OK
Thanks. Please CC me on the new bug. This one can be validated with the following advisory. Advisory: ======================== Updated transmission packages fix security vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in the web client in Transmission before 2.61 allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) created by, or (3) name field in a torrent file (CVE-2012-4037). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037 http://www.ubuntu.com/usn/usn-1584-1/ ======================== Updated packages in core/updates_testing: ======================== transmission-common-2.51-1.2.mga2 transmission-cli-2.51-1.2.mga2 transmission-gtk-2.51-1.2.mga2 transmission-qt4-2.51-1.2.mga2 transmission-daemon-2.51-1.2.mga2 from transmission-2.51-1.2.mga2.src.rpm
Thankyou. Validating (mga2 only) See comment 13 for advisory and srpm Could sysadmin please push from core/updates_testing to core/updates This bug can then be closed. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0314
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED