Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Feb 2013 08:47:29 -0500 (EST)
From: Jan Lieskovsky <>
Cc: Josselin Mouette <>
Subject: Re: CVE request: Transmission can be made to crash

Hello Yves-Alexis,

  to follow up on this one. The source of the issue
seems to be underlying libutp code:

more specifically the way how libutp (previously) handled
selective acknowledgements, which resulted in following two
(libutp) patches:

Transmission upstream corrected this issue in v2.74:

with the following patch:

Ad assigning CVE ids - I think one CVE id is enough.
The problem is in libutp code, and Transmission upstream
seems to commit their own change only due to libutp

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: All the links from above at one place are at:

----- Original Message -----
On dim., 2013-02-10 at 11:50 +0100, Josselin Mouette wrote:
> Package: transmission-daemon
> Version: 2.52-3
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
> The transmission-daemon package in wheezy crashes regularly. According 
> to upstream this is a remote security hole (at least a remote DoS, but 
> most probably there is a way to take control of the process).
> Apparently there is no CVE assigned. The bug is fixed upstream and I’m 
> attaching the patch. I’m currently testing a patched package, and will 
> report whether the fix is sufficient.
> Could a CVE be assigned for this?
> Thanks in advance,
> -- 
> Yves-Alexis

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ