Debian Bug report logs -
#530255
CVE-2009-1759: Stack-based buffer overflow in the btFiles::BuildFromMI function
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Sat, 23 May 2009 12:00:01 UTC
Severity: serious
Tags: patch, security
Fixed in versions ctorrent/1.3.4-dnh4.2-1.1, ctorrent/1.3.4-dnh4.2-1+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrea Veri <bluekuja@ubuntu.com>:
Bug#530255; Package ctorrent.
(Sat, 23 May 2009 12:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andrea Veri <bluekuja@ubuntu.com>.
(Sat, 23 May 2009 12:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ctorrent
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ctorrent.
CVE-2009-1759[0]:
| Stack-based buffer overflow in the btFiles::BuildFromMI function
| (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and
| probably earlier, and CTorrent 1.3.4, allows remote attackers to cause
| a denial of service (crash) and possibly execute arbitrary code via a
| Torrent file containing a long path.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
http://security-tracker.debian.net/tracker/CVE-2009-1759
Patch: http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoX4iQACgkQNxpp46476apQSACfZnMhb5D7ovIaEjkDgY+PmMN9
yqsAoJ+5IkruLzc09YpQg0lWXQ30RGiz
=hnC5
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#530255; Package ctorrent.
(Fri, 12 Jun 2009 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>.
(Fri, 12 Jun 2009 12:30:03 GMT) (full text, mbox, link).
Message #10 received at 530255@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Giuseppe Iuculano <giuseppe@iuculano.it> [2009-05-23 17:03]:
[...]
> CVE-2009-1759[0]:
> | Stack-based buffer overflow in the btFiles::BuildFromMI function
> | (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and
> | probably earlier, and CTorrent 1.3.4, allows remote attackers to cause
> | a denial of service (crash) and possibly execute arbitrary code via a
> | Torrent file containing a long path.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
> http://security-tracker.debian.net/tracker/CVE-2009-1759
> Patch: http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch
FWIW, this patch doesn't only fix a buffer overflow but also
a directory traversal vulnerability + it is a patch for
dtorrent.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#530255; Package ctorrent.
(Mon, 15 Jun 2009 17:06:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>.
(Mon, 15 Jun 2009 17:06:08 GMT) (full text, mbox, link).
Message #15 received at 530255@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Nico Golde <nion@debian.org> [2009-06-12 15:07]:
> Hi,
> * Giuseppe Iuculano <giuseppe@iuculano.it> [2009-05-23 17:03]:
> [...]
> > CVE-2009-1759[0]:
> > | Stack-based buffer overflow in the btFiles::BuildFromMI function
> > | (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and
> > | probably earlier, and CTorrent 1.3.4, allows remote attackers to cause
> > | a denial of service (crash) and possibly execute arbitrary code via a
> > | Torrent file containing a long path.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
> > http://security-tracker.debian.net/tracker/CVE-2009-1759
> > Patch: http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch
>
> FWIW, this patch doesn't only fix a buffer overflow but also
> a directory traversal vulnerability + it is a patch for
> dtorrent.
http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/bencode.h?r1=215&r2=301&view=patch
and
http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/bencode.cpp?r1=296&r2=301&view=patch
are needed as well.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#530255; Package ctorrent.
(Mon, 15 Jun 2009 17:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>.
(Mon, 15 Jun 2009 17:45:03 GMT) (full text, mbox, link).
Message #20 received at 530255@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I ported the patch to our ctorrent version. Could someone
please test it so updates don't break things?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2009-1759.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea Veri <bluekuja@ubuntu.com>:
Bug#530255; Package ctorrent.
(Tue, 16 Jun 2009 23:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea Veri <bluekuja@ubuntu.com>.
(Tue, 16 Jun 2009 23:24:05 GMT) (full text, mbox, link).
Message #25 received at 530255@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for a 0-day NMU.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[ctorrent-1.3.4-dnh4.2-1_1.3.4-dnh4.2-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Tue, 16 Jun 2009 23:42:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Tue, 16 Jun 2009 23:42:03 GMT) (full text, mbox, link).
Message #30 received at 530255-close@bugs.debian.org (full text, mbox, reply):
Source: ctorrent
Source-Version: 1.3.4-dnh4.2-1.1
We believe that the bug you reported is fixed in the latest version of
ctorrent, which is due to be installed in the Debian FTP archive:
ctorrent_1.3.4-dnh4.2-1.1.diff.gz
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1.1.diff.gz
ctorrent_1.3.4-dnh4.2-1.1.dsc
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1.1.dsc
ctorrent_1.3.4-dnh4.2-1.1_amd64.deb
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ctorrent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Jun 2009 00:59:49 +0200
Source: ctorrent
Binary: ctorrent
Architecture: source amd64
Version: 1.3.4-dnh4.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Andrea Veri <bluekuja@ubuntu.com>
Changed-By: Nico Golde <nion@debian.org>
Description:
ctorrent - BitTorrent Client written in C++
Closes: 530255
Changes:
ctorrent (1.3.4-dnh4.2-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow via crafted path names
in torrent files (CVE-2009-1759; Closes: #530255).
Checksums-Sha1:
a400584619069e6092fd5c72a4eb155a7e6e0f7d 1112 ctorrent_1.3.4-dnh4.2-1.1.dsc
35efe6801e4c535b57d64c8eb6ab6144ceccc187 6452 ctorrent_1.3.4-dnh4.2-1.1.diff.gz
ec3e6c9390008cfb877938690a2478dd8c146222 111856 ctorrent_1.3.4-dnh4.2-1.1_amd64.deb
Checksums-Sha256:
f7806faeb45013520987f36a411cbf6745d2764c96dea60c914e31ede66a3026 1112 ctorrent_1.3.4-dnh4.2-1.1.dsc
420d1e3b1acc2cf38f5e021ae52e24e264d7a9a3b21d96cd3e6bd898d7ac00b3 6452 ctorrent_1.3.4-dnh4.2-1.1.diff.gz
790e82fd48e97729805ebd5d60b2ffcb1e31d519de2cc6ddd2e90096a7fc2c27 111856 ctorrent_1.3.4-dnh4.2-1.1_amd64.deb
Files:
465619c7bff9573679eb33400c263561 1112 net extra ctorrent_1.3.4-dnh4.2-1.1.dsc
37087f49c8b700992845df17f1cb3a83 6452 net extra ctorrent_1.3.4-dnh4.2-1.1.diff.gz
a9253a247273ae5d1a2ca94f11a864f3 111856 net extra ctorrent_1.3.4-dnh4.2-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko4KNcACgkQHYflSXNkfP9b0QCcCUsD8jv3PCFLzyJOAHfBof3u
itkAoI8fGUtVlncaDPapDSOJCTN8O+m4
=FZJE
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Sat, 20 Jun 2009 14:15:02 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sat, 20 Jun 2009 14:15:02 GMT) (full text, mbox, link).
Message #35 received at 530255-close@bugs.debian.org (full text, mbox, reply):
Source: ctorrent
Source-Version: 1.3.4-dnh4.2-1+lenny1
We believe that the bug you reported is fixed in the latest version of
ctorrent, which is due to be installed in the Debian FTP archive:
ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ctorrent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Jun 2009 00:59:49 +0200
Source: ctorrent
Binary: ctorrent
Architecture: source amd64
Version: 1.3.4-dnh4.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andrea Veri <bluekuja@ubuntu.com>
Changed-By: Nico Golde <nion@debian.org>
Description:
ctorrent - BitTorrent Client written in C++
Closes: 530255
Changes:
ctorrent (1.3.4-dnh4.2-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow via crafted path names
in torrent files (CVE-2009-1759; Closes: #530255).
Checksums-Sha1:
fd3cf3b174854d5c1bc770a1c766f33e90a3efe1 1132 ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
dc52b089bf0820a34443a78376655e1c1a2d9080 201651 ctorrent_1.3.4-dnh4.2.orig.tar.gz
67c8f82768e893392469310315114d60274b88a1 6427 ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
bbb3ba6515c8b63ee06c91f0dfa93a9356f97ae3 112618 ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
Checksums-Sha256:
321f2102a1feef46462217b369914de4827d1b1c569a12e8d7baadef94a97765 1132 ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
a23074c76dead123c24f16b09910fe43c5537da250637de2c85a6807eada8ff6 201651 ctorrent_1.3.4-dnh4.2.orig.tar.gz
8e9177cac15b335376790a662fb21a117ce19389e663dc8f6ae9707fa126db32 6427 ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
bd6e87f0a78b9b0ec7ac449eadbcf2ceec010f9d0766c9f0d343ac5c17f9016a 112618 ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
Files:
2159a81d35c934811cc4b65a5d51c63e 1132 net extra ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
8c4605ea3a1f6d09da593c25b5ab7dbd 201651 net extra ctorrent_1.3.4-dnh4.2.orig.tar.gz
a8eb130df614638863d1de39f80aeb3c 6427 net extra ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
34ca707d68325c7b3939338d0b0ca7c2 112618 net extra ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko47CMACgkQHYflSXNkfP9EkQCgsWkj1SHpdkxrJ9vPrXrGQAdl
RckAnieMb04gvKWqRStATkrLHs+Y1bqQ
=s84w
-----END PGP SIGNATURE-----
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Sat, 27 Jun 2009 16:27:07 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:27:07 GMT) (full text, mbox, link).
Message #40 received at 530255-close@bugs.debian.org (full text, mbox, reply):
Source: ctorrent
Source-Version: 1.3.4-dnh4.2-1+lenny1
We believe that the bug you reported is fixed in the latest version of
ctorrent, which is due to be installed in the Debian FTP archive:
ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ctorrent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Jun 2009 00:59:49 +0200
Source: ctorrent
Binary: ctorrent
Architecture: source amd64
Version: 1.3.4-dnh4.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andrea Veri <bluekuja@ubuntu.com>
Changed-By: Nico Golde <nion@debian.org>
Description:
ctorrent - BitTorrent Client written in C++
Closes: 530255
Changes:
ctorrent (1.3.4-dnh4.2-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow via crafted path names
in torrent files (CVE-2009-1759; Closes: #530255).
Checksums-Sha1:
fd3cf3b174854d5c1bc770a1c766f33e90a3efe1 1132 ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
dc52b089bf0820a34443a78376655e1c1a2d9080 201651 ctorrent_1.3.4-dnh4.2.orig.tar.gz
67c8f82768e893392469310315114d60274b88a1 6427 ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
bbb3ba6515c8b63ee06c91f0dfa93a9356f97ae3 112618 ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
Checksums-Sha256:
321f2102a1feef46462217b369914de4827d1b1c569a12e8d7baadef94a97765 1132 ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
a23074c76dead123c24f16b09910fe43c5537da250637de2c85a6807eada8ff6 201651 ctorrent_1.3.4-dnh4.2.orig.tar.gz
8e9177cac15b335376790a662fb21a117ce19389e663dc8f6ae9707fa126db32 6427 ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
bd6e87f0a78b9b0ec7ac449eadbcf2ceec010f9d0766c9f0d343ac5c17f9016a 112618 ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
Files:
2159a81d35c934811cc4b65a5d51c63e 1132 net extra ctorrent_1.3.4-dnh4.2-1+lenny1.dsc
8c4605ea3a1f6d09da593c25b5ab7dbd 201651 net extra ctorrent_1.3.4-dnh4.2.orig.tar.gz
a8eb130df614638863d1de39f80aeb3c 6427 net extra ctorrent_1.3.4-dnh4.2-1+lenny1.diff.gz
34ca707d68325c7b3939338d0b0ca7c2 112618 net extra ctorrent_1.3.4-dnh4.2-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko47CMACgkQHYflSXNkfP9EkQCgsWkj1SHpdkxrJ9vPrXrGQAdl
RckAnieMb04gvKWqRStATkrLHs+Y1bqQ
=s84w
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jul 2009 07:33:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon