rpms/rb_libtorrent/F-11 rb_libtorrent-CVE-2009-1760.diff, NONE, 1.1 rb_libtorrent.spec, 1.23, 1.24 rb_libtorrent-0.13.1-boost.patch, 1.1, NONE

Sun Jun 14 02:45:56 UTC 2009

Author: pgordon

Update of /cvs/pkgs/rpms/rb_libtorrent/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27984

Modified Files:
	rb_libtorrent.spec 
Added Files:
	rb_libtorrent-CVE-2009-1760.diff 
Removed Files:
	rb_libtorrent-0.13.1-boost.patch 
Log Message:
Apply upstream patch for CVE-2009-1760 (#505523); drop outdated boost patch.

rb_libtorrent-CVE-2009-1760.diff:

--- NEW FILE rb_libtorrent-CVE-2009-1760.diff ---
diff -U0 ./ChangeLog.old ./ChangeLog
--- ./ChangeLog.old	2009-06-13 18:02:44.353129501 -0700
+++ ./ChangeLog	2009-06-13 18:02:54.629129707 -0700
@@ -21,0 +22 @@
+	* fixed torrent file path vulnerability
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- ./src/torrent_info.cpp.old	2009-06-13 18:02:39.117129037 -0700
+++ ./src/torrent_info.cpp	2009-06-13 18:02:54.628129394 -0700
@@ -62,7 +62,7 @@ namespace gr = boost::gregorian;
 
 using namespace libtorrent;
 
-namespace
+namespace libtorrent
 {
 	
 	namespace fs = boost::filesystem;
@@ -161,6 +161,28 @@ namespace
 		if (!verify_encoding(p)) target.path = p;
 	}
 
+	bool valid_path_element(std::string const& element)
+	{
+		if (element.empty()
+			|| element == "." || element == ".."
+			|| element[0] == '/' || element[0] == '\\'
+			|| element[element.size()-1] == ':')
+			return false;
+		return true;
+	}
+
+	fs::path sanitize_path(fs::path const& p)
+	{
+		fs::path new_path;
+		for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+		{
+			if (!valid_path_element(*i)) continue;
+			new_path /= *i;
+		}
+		TORRENT_ASSERT(!new_path.is_complete());
+		return new_path;
+	}
+
 	bool extract_single_file(lazy_entry const& dict, file_entry& target
 		, std::string const& root_dir)
 	{
@@ -186,10 +208,12 @@ namespace
 			if (p->list_at(i)->type() != lazy_entry::string_t)
 				return false;
 			std::string path_element = p->list_at(i)->string_value();
-			if (path_element != "..")
-				target.path /= path_element;
+			target.path /= path_element;
 		}
+		target.path = sanitize_path(target.path);
 		verify_encoding(target);
+		TORRENT_ASSERT(!target.path.is_complete());
+
 		if (target.path.is_complete())
 			return false;
 		return true;
@@ -208,10 +232,6 @@ namespace
 		}
 		return true;
 	}
-}
-
-namespace libtorrent
-{
 
 	int load_file(fs::path const& filename, std::vector<char>& v)
 	{
@@ -400,27 +420,8 @@ namespace libtorrent
 			return false;
 		}
 
-		fs::path tmp = name;
-		if (tmp.is_complete())
-		{
-			name = tmp.leaf();
-		}
-#if BOOST_VERSION < 103600
-		else if (tmp.has_branch_path())
-#else
-		else if (tmp.has_parent_path())
-#endif
-		{
-			fs::path p;
-			for (fs::path::iterator i = tmp.begin()
-				, end(tmp.end()); i != end; ++i)
-			{
-				if (*i == "." || *i == "..") continue;
-				p /= *i;
-			}
-			name = p.string();
-		}
-		if (name == ".." || name == ".")
+		name = sanitize_path(name).string();
+		if (!valid_path_element(name))
 		{
 			error = "invalid 'name' of torrent (possible exploit attempt)";
 			return false;
diff -up ./test/test_primitives.cpp.old ./test/test_primitives.cpp
--- ./test/test_primitives.cpp.old	2009-06-13 18:02:31.324129349 -0700
+++ ./test/test_primitives.cpp	2009-06-13 18:02:54.627129427 -0700
@@ -54,6 +54,10 @@ using namespace libtorrent;
 using namespace boost::tuples;
 using boost::bind;
 
+namespace libtorrent {
+	fs::path sanitize_path(fs::path const& p);
+}
+
 tuple<int, int, bool> feed_bytes(http_parser& parser, char const* str)
 {
 	tuple<int, int, bool> ret(0, 0, false);
@@ -347,6 +351,17 @@ int test_main()
 {
 	using namespace libtorrent;
 
+	TEST_CHECK(sanitize_path("/a/b/c").string() == "a/b/c");
+	TEST_CHECK(sanitize_path("a/../c").string() == "a/c");
+	TEST_CHECK(sanitize_path("/.././c").string() == "c");
+	TEST_CHECK(sanitize_path("dev:").string() == "");
+	TEST_CHECK(sanitize_path("c:/b").string() == "b");
+#ifdef TORRENT_WINDOWS
+	TEST_CHECK(sanitize_path("c:\\.\\c").string() == "c");
+#else
+	TEST_CHECK(sanitize_path("//./c").string() == "c");
+#endif
+
 	// test itoa
 
 	TEST_CHECK(to_string(345).elems == std::string("345"));
@@ -615,7 +630,7 @@ int test_main()
 	torrent["info"] = info;
 	torrent_info ti2(torrent);
 	std::cerr << ti2.name() << std::endl;
-	TEST_CHECK(ti2.name() == "test3");
+	TEST_CHECK(ti2.name() == "test1/test2/test3");
 
 	info["name.utf-8"] = "test2/../test3/.././../../test4";
 	torrent["info"] = info;


Index: rb_libtorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rb_libtorrent/F-11/rb_libtorrent.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- rb_libtorrent.spec	28 Apr 2009 05:34:57 -0000	1.23
+++ rb_libtorrent.spec	14 Jun 2009 02:45:25 -0000	1.24
@@ -3,7 +3,7 @@
 
 Name:		rb_libtorrent
 Version:	0.14.3
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	A C++ BitTorrent library aiming to be the best alternative
 
 Group:		System Environment/Libraries
@@ -15,6 +15,8 @@ Source1:	%{name}-README-renames.Fedora
 Source2:	%{name}-COPYING.Boost
 Source3:	%{name}-COPYING.zlib
 
+Patch0: 	%{name}-CVE-2009-1760.diff
+
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:	asio-devel
@@ -86,6 +88,7 @@ module) that allow it to be used from wi
 
 %prep
 %setup -q -n "libtorrent-rasterbar-%{version}"
+%patch0  -b .CVE-2009-1760
 ## The RST files are the sources used to create the final HTML files; and are
 ## not needed.
 rm -f docs/*.rst
@@ -98,6 +101,7 @@ iconv -t UTF-8 -f ISO_8859-15 AUTHORS -o
 mv AUTHORS.iconv AUTHORS
 
 
+
 %build
 ## XXX: Even with the --with-asio=system configure option, the stuff in
 ## the local include directory overrides that of the system. We don't like
@@ -182,6 +186,14 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Fri Jun 12 2009 Peter Gordon <peter at thecodergeek.com> - 0.14.3-2
+- Apply upstream patch to fix CVE-2009-1760 (arbitrary file overwrite
+  vulnerability):
+  + CVE-2009-1760.diff
+- Fixes security bug #505523.
+- Drop outdated Boost patch:
+  - 0.13.1-boost.patch
+
 * Mon Apr 27 2009 Peter Gordon <peter at thecodergeek.com> - 0.14.3-1
 - Update to new upstream bug-fix release (0.14.3).
 


--- rb_libtorrent-0.13.1-boost.patch DELETED ---


