rpms/rb_libtorrent/F-11 rb_libtorrent-CVE-2009-1760.diff, NONE, 1.1 rb_libtorrent.spec, 1.23, 1.24 rb_libtorrent-0.13.1-boost.patch, 1.1, NONE
Peter Gordon
pgordon at fedoraproject.org
Sun Jun 14 02:45:56 UTC 2009
- Previous message (by thread): rpms/drpython/F-11 import.log, NONE, 1.1 drpython.sh, 1.1, 1.2 drpython.spec, 1.5, 1.6
- Next message (by thread): rpms/k3b/F-11 reload-for-verification.diff, NONE, 1.1 k3b.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pgordon
Update of /cvs/pkgs/rpms/rb_libtorrent/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27984
Modified Files:
rb_libtorrent.spec
Added Files:
rb_libtorrent-CVE-2009-1760.diff
Removed Files:
rb_libtorrent-0.13.1-boost.patch
Log Message:
Apply upstream patch for CVE-2009-1760 (#505523); drop outdated boost patch.
rb_libtorrent-CVE-2009-1760.diff:
--- NEW FILE rb_libtorrent-CVE-2009-1760.diff ---
diff -U0 ./ChangeLog.old ./ChangeLog
--- ./ChangeLog.old 2009-06-13 18:02:44.353129501 -0700
+++ ./ChangeLog 2009-06-13 18:02:54.629129707 -0700
@@ -21,0 +22 @@
+ * fixed torrent file path vulnerability
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- ./src/torrent_info.cpp.old 2009-06-13 18:02:39.117129037 -0700
+++ ./src/torrent_info.cpp 2009-06-13 18:02:54.628129394 -0700
@@ -62,7 +62,7 @@ namespace gr = boost::gregorian;
using namespace libtorrent;
-namespace
+namespace libtorrent
{
namespace fs = boost::filesystem;
@@ -161,6 +161,28 @@ namespace
if (!verify_encoding(p)) target.path = p;
}
+ bool valid_path_element(std::string const& element)
+ {
+ if (element.empty()
+ || element == "." || element == ".."
+ || element[0] == '/' || element[0] == '\\'
+ || element[element.size()-1] == ':')
+ return false;
+ return true;
+ }
+
+ fs::path sanitize_path(fs::path const& p)
+ {
+ fs::path new_path;
+ for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+ {
+ if (!valid_path_element(*i)) continue;
+ new_path /= *i;
+ }
+ TORRENT_ASSERT(!new_path.is_complete());
+ return new_path;
+ }
+
bool extract_single_file(lazy_entry const& dict, file_entry& target
, std::string const& root_dir)
{
@@ -186,10 +208,12 @@ namespace
if (p->list_at(i)->type() != lazy_entry::string_t)
return false;
std::string path_element = p->list_at(i)->string_value();
- if (path_element != "..")
- target.path /= path_element;
+ target.path /= path_element;
}
+ target.path = sanitize_path(target.path);
verify_encoding(target);
+ TORRENT_ASSERT(!target.path.is_complete());
+
if (target.path.is_complete())
return false;
return true;
@@ -208,10 +232,6 @@ namespace
}
return true;
}
-}
-
-namespace libtorrent
-{
int load_file(fs::path const& filename, std::vector<char>& v)
{
@@ -400,27 +420,8 @@ namespace libtorrent
return false;
}
- fs::path tmp = name;
- if (tmp.is_complete())
- {
- name = tmp.leaf();
- }
-#if BOOST_VERSION < 103600
- else if (tmp.has_branch_path())
-#else
- else if (tmp.has_parent_path())
-#endif
- {
- fs::path p;
- for (fs::path::iterator i = tmp.begin()
- , end(tmp.end()); i != end; ++i)
- {
- if (*i == "." || *i == "..") continue;
- p /= *i;
- }
- name = p.string();
- }
- if (name == ".." || name == ".")
+ name = sanitize_path(name).string();
+ if (!valid_path_element(name))
{
error = "invalid 'name' of torrent (possible exploit attempt)";
return false;
diff -up ./test/test_primitives.cpp.old ./test/test_primitives.cpp
--- ./test/test_primitives.cpp.old 2009-06-13 18:02:31.324129349 -0700
+++ ./test/test_primitives.cpp 2009-06-13 18:02:54.627129427 -0700
@@ -54,6 +54,10 @@ using namespace libtorrent;
using namespace boost::tuples;
using boost::bind;
+namespace libtorrent {
+ fs::path sanitize_path(fs::path const& p);
+}
+
tuple<int, int, bool> feed_bytes(http_parser& parser, char const* str)
{
tuple<int, int, bool> ret(0, 0, false);
@@ -347,6 +351,17 @@ int test_main()
{
using namespace libtorrent;
+ TEST_CHECK(sanitize_path("/a/b/c").string() == "a/b/c");
+ TEST_CHECK(sanitize_path("a/../c").string() == "a/c");
+ TEST_CHECK(sanitize_path("/.././c").string() == "c");
+ TEST_CHECK(sanitize_path("dev:").string() == "");
+ TEST_CHECK(sanitize_path("c:/b").string() == "b");
+#ifdef TORRENT_WINDOWS
+ TEST_CHECK(sanitize_path("c:\\.\\c").string() == "c");
+#else
+ TEST_CHECK(sanitize_path("//./c").string() == "c");
+#endif
+
// test itoa
TEST_CHECK(to_string(345).elems == std::string("345"));
@@ -615,7 +630,7 @@ int test_main()
torrent["info"] = info;
torrent_info ti2(torrent);
std::cerr << ti2.name() << std::endl;
- TEST_CHECK(ti2.name() == "test3");
+ TEST_CHECK(ti2.name() == "test1/test2/test3");
info["name.utf-8"] = "test2/../test3/.././../../test4";
torrent["info"] = info;
Index: rb_libtorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rb_libtorrent/F-11/rb_libtorrent.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- rb_libtorrent.spec 28 Apr 2009 05:34:57 -0000 1.23
+++ rb_libtorrent.spec 14 Jun 2009 02:45:25 -0000 1.24
@@ -3,7 +3,7 @@
Name: rb_libtorrent
Version: 0.14.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A C++ BitTorrent library aiming to be the best alternative
Group: System Environment/Libraries
@@ -15,6 +15,8 @@ Source1: %{name}-README-renames.Fedora
Source2: %{name}-COPYING.Boost
Source3: %{name}-COPYING.zlib
+Patch0: %{name}-CVE-2009-1760.diff
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: asio-devel
@@ -86,6 +88,7 @@ module) that allow it to be used from wi
%prep
%setup -q -n "libtorrent-rasterbar-%{version}"
+%patch0 -b .CVE-2009-1760
## The RST files are the sources used to create the final HTML files; and are
## not needed.
rm -f docs/*.rst
@@ -98,6 +101,7 @@ iconv -t UTF-8 -f ISO_8859-15 AUTHORS -o
mv AUTHORS.iconv AUTHORS
+
%build
## XXX: Even with the --with-asio=system configure option, the stuff in
## the local include directory overrides that of the system. We don't like
@@ -182,6 +186,14 @@ rm -rf %{buildroot}
%changelog
+* Fri Jun 12 2009 Peter Gordon <peter at thecodergeek.com> - 0.14.3-2
+- Apply upstream patch to fix CVE-2009-1760 (arbitrary file overwrite
+ vulnerability):
+ + CVE-2009-1760.diff
+- Fixes security bug #505523.
+- Drop outdated Boost patch:
+ - 0.13.1-boost.patch
+
* Mon Apr 27 2009 Peter Gordon <peter at thecodergeek.com> - 0.14.3-1
- Update to new upstream bug-fix release (0.14.3).
--- rb_libtorrent-0.13.1-boost.patch DELETED ---
- Previous message (by thread): rpms/drpython/F-11 import.log, NONE, 1.1 drpython.sh, 1.1, 1.2 drpython.spec, 1.5, 1.6
- Next message (by thread): rpms/k3b/F-11 reload-for-verification.diff, NONE, 1.1 k3b.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list