Bug 7590 - transmission - new security issue CVE-2012-4037
: transmission - new security issue CVE-2012-4037
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/517656/
: MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-26 20:18 CEST by David Walser
Modified: 2012-10-29 18:40 CET (History)
7 users (show)

See Also:
Source RPM: transmission-2.51-1.1.mga2.src.rpm
CVE:
Status comment:


Attachments
used torrent-file for testing (274 bytes, application/x-bittorrent)
2012-10-08 21:51 CEST, Marc Lattemann
Details

Description David Walser 2012-09-26 20:18:35 CEST
Ubuntu has issued an advisory today (September 26):
http://www.ubuntu.com/usn/usn-1584-1/

According to the CVE entry, it's fixed upstream in 2.61, which is in Cauldron.

Ubuntu should have a patch for 2.51, which we have in Mageia 2.

Ubuntu wasn't able to reproduce the issue with 2.33 and 2.13, so Mageia 1 may not be affected.
Comment 1 Damien Lallement 2012-10-08 18:28:15 CEST
Package available in core/update_testing.
Comment 2 David Walser 2012-10-08 18:38:29 CEST
Thanks Damien!

Advisory:
========================

Updated transmission packages fix security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in the web client in
Transmission before 2.61 allow remote attackers to inject arbitrary web
script or HTML via the (1) comment, (2) created by, or (3) name field in a
torrent file (CVE-2012-4037).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037
http://www.ubuntu.com/usn/usn-1584-1/
========================

Updated packages in core/updates_testing:
========================
transmission-common-2.51-1.1.mga2
transmission-cli-2.51-1.1.mga2
transmission-gtk-2.51-1.1.mga2
transmission-qt4-2.51-1.1.mga2
transmission-daemon-2.51-1.1.mga2

from transmission-2.51-1.1.mga2.src.rpm
Comment 3 Marc Lattemann 2012-10-08 19:15:27 CEST
PoC: http://archives.neohapsis.com/archives/fulldisclosure/2012-07/0349.html

Will try to test on x86_64
Comment 4 Marc Lattemann 2012-10-08 21:37:55 CEST
the packages in Core Updates have already version 2.51-1.1. The subrel needes to be updated?
However using PoC from Comment #3 (the torrents there are not working, but I've created ones with xss-code in comment section) the packages from Updates_testing do not show the vulnerability anymore.
tested x86_64 and i586 for mga2
Comment 5 Marc Lattemann 2012-10-08 21:51:56 CEST
Created attachment 2935 [details]
used torrent-file for testing

I've uploaded the test-file I used.
Comment 6 Marc Lattemann 2012-10-08 22:04:53 CEST
testing on mga1 reveal that bug is also valid for mga1 (version 2.22-1.1 from i586) using the attached test-file.
Comment 7 Damien Lallement 2012-10-09 14:24:46 CEST
(In reply to comment #4)
> the packages in Core Updates have already version 2.51-1.1. The subrel needes
> to be updated?

Thank you, new package available: transmission-2.51-1.2.mga2
transmission-common-2.51-1.2.mga2
transmission-cli-2.51-1.2.mga2
transmission-gtk-2.51-1.2.mga2
transmission-qt4-2.51-1.2.mga2
transmission-daemon-2.51-1.2.mga2

from transmission-2.51-1.2.mga2.src.rpm
Comment 8 Marc Lattemann 2012-10-09 15:49:20 CEST
updated packages worked as expected on i586 and x86_64.

The update could be validated at least for mga2. But what should be done with mga1? Should there be opened a new bug for it?
Comment 9 David Walser 2012-10-09 16:21:51 CEST
(In reply to comment #8)
> updated packages worked as expected on i586 and x86_64.
> 
> The update could be validated at least for mga2. But what should be done with
> mga1? Should there be opened a new bug for it?

If it is affected, we should try to fix that too before releasing this.
Comment 10 David Walser 2012-10-11 14:28:03 CEST
It looks like backporting the patch is non-trivial.  It might be easier to backport 2.51 to Mageia 1.
Comment 11 David Walser 2012-10-17 13:30:50 CEST
I tried building 2.51 locally on Mageia 1.  If you change the BuildRequires pkgconfig(gtk+3.0) to gtk+2-devel, it will attempt to build against gtk+2, so that's good, but it fails at "CCLD transmission-cli" linking, so I don't know how to fix that.
Comment 12 Damien Lallement 2012-10-29 16:10:32 CET
I will open an other bug for Mageia 1 as I need to investigate for this issue.
Reassingin to QA.
Comment 13 David Walser 2012-10-29 16:13:04 CET
Thanks.  Please CC me on the new bug.

This one can be validated with the following advisory.

Advisory:
========================

Updated transmission packages fix security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in the web client in
Transmission before 2.61 allow remote attackers to inject arbitrary web
script or HTML via the (1) comment, (2) created by, or (3) name field in a
torrent file (CVE-2012-4037).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037
http://www.ubuntu.com/usn/usn-1584-1/
========================

Updated packages in core/updates_testing:
========================
transmission-common-2.51-1.2.mga2
transmission-cli-2.51-1.2.mga2
transmission-gtk-2.51-1.2.mga2
transmission-qt4-2.51-1.2.mga2
transmission-daemon-2.51-1.2.mga2

from transmission-2.51-1.2.mga2.src.rpm
Comment 14 claire robinson 2012-10-29 18:20:45 CET
Thankyou.

Validating (mga2 only)

See comment 13 for advisory and srpm

Could sysadmin please push from core/updates_testing to core/updates

This bug can then be closed.

Thanks!
Comment 15 Thomas Backlund 2012-10-29 18:40:04 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0314

Note You need to log in before you can comment on or make changes to this bug.