Date: Thu, 8 Sep 2016 00:22:55 +0200 From: yi <yi@...i.me> To: oss-security@...ts.openwall.com Subject: CVE Request : Libtorrent 1.1.0 inflate_gzip denial of service Hi list, I recently opened a bug on "Libtorrent 1.1.0" regarding malformed GZIP encoded responses that causes denial of service. For example, an attacker-controlled torrent tracker can crash victim torrent clients by sending malformed GZIP responses. This bug has been fixed by the maintainer in master and the branch RC_1_1: https://github.com/arvidn/libtorrent/issues/1021 https://github.com/arvidn/libtorrent/pull/1022 I also tested the bug with two "Libtorrent based" softwares : qBittorrent and Deluge. Both of them were affected and crashed on receiving the malformed response. Download attachment "0x0443D821.asc" of type "application/pgp-keys" (3114 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ