Date: Mon, 11 Feb 2013 08:47:29 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: Josselin Mouette <joss@...ian.org> Subject: Re: CVE request: Transmission can be made to crash remotely Hello Yves-Alexis, to follow up on this one. The source of the issue seems to be underlying libutp code:  https://trac.transmissionbt.com/ticket/5002#comment:22 more specifically the way how libutp (previously) handled selective acknowledgements, which resulted in following two (libutp) patches:  https://github.com/bittorrent/libutp/issues/38  https://github.com/bittorrent/libutp/issues/37 Transmission upstream corrected this issue in v2.74:  https://trac.transmissionbt.com/query?milestone=2.74&group=component&order=severity with the following patch:  https://trac.transmissionbt.com/changeset/13646 Ad assigning CVE ids - I think one CVE id is enough. The problem is in libutp code, and Transmission upstream seems to commit their own change only due to libutp (un)responsiveness:  https://trac.transmissionbt.com/ticket/5002#comment:32 Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: All the links from above at one place are at:  https://bugzilla.redhat.com/show_bug.cgi?id=909934 ----- Original Message ----- On dim., 2013-02-10 at 11:50 +0100, Josselin Mouette wrote: > Package: transmission-daemon > Version: 2.52-3 > Severity: grave > Tags: security patch upstream > Justification: user security hole > > The transmission-daemon package in wheezy crashes regularly. According > to upstream this is a remote security hole (at least a remote DoS, but > most probably there is a way to take control of the process). > > https://trac.transmissionbt.com/ticket/5044 > https://trac.transmissionbt.com/ticket/5002 > > Apparently there is no CVE assigned. The bug is fixed upstream and I’m > attaching the patch. I’m currently testing a patched package, and will > report whether the fix is sufficient. > > Could a CVE be assigned for this? > > Thanks in advance, > -- > Yves-Alexis
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ