rpms/rb_libtorrent/F-10 rb_libtorrent-0.13-CVE-2009-1760.diff, NONE, 1.1 rb_libtorrent.spec, 1.15, 1.16

Sun Jun 14 20:25:44 UTC 2009

Author: pgordon

Update of /cvs/pkgs/rpms/rb_libtorrent/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3968

Modified Files:
	rb_libtorrent.spec 
Added Files:
	rb_libtorrent-0.13-CVE-2009-1760.diff 
Log Message:
Apply upstream patch for CVE-2009-1760 (#505523)

rb_libtorrent-0.13-CVE-2009-1760.diff:

--- NEW FILE rb_libtorrent-0.13-CVE-2009-1760.diff ---
diff -U0 ./ChangeLog.old ./ChangeLog
--- ./ChangeLog.old	2009-06-14 12:18:03.058662151 -0700
+++ ./ChangeLog	2009-06-14 12:18:37.577661439 -0700
@@ -2,0 +3 @@
+	* fixed torrent file path vulnerability
diff -up ./include/libtorrent/socket.hpp.old ./include/libtorrent/socket.hpp
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- ./src/torrent_info.cpp.old	2009-06-14 12:18:10.271661693 -0700
+++ ./src/torrent_info.cpp	2009-06-14 12:21:17.023536095 -0700
@@ -31,7 +31,6 @@ POSSIBILITY OF SUCH DAMAGE.
 */
 
 #include "libtorrent/pch.hpp"
-
 #include <ctime>
 #include <iostream>
 #include <fstream>
@@ -39,6 +38,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #include <iterator>
 #include <algorithm>
 #include <set>
+#include <string>
 
 #ifdef _MSC_VER
 #pragma warning(push, 1)
@@ -74,6 +74,29 @@ namespace
 		str += 0x80 | (chr & 0x3f);
 	}
 
+	bool valid_path_element(std::string const& element)
+	{
+		if (element.empty()
+			|| element == "." || element == ".."
+			|| element[0] == '/' || element[0] == '\\'
+			|| element[element.size()-1] == ':')
+			return false;
+		return true;
+	}
+
+	fs::path sanitize_path(fs::path const& p)
+	{
+		fs::path new_path;
+		for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+		{
+			if (!valid_path_element(*i)) continue;
+			std::string pe = *i;
+			new_path /= pe;
+		}
+		TORRENT_ASSERT(!new_path.is_complete());
+		return new_path;
+	}
+
 	void verify_encoding(file_entry& target)
 	{
 		std::string tmp_path;
@@ -184,9 +230,9 @@ namespace
 		for (entry::list_type::const_iterator i = list->begin();
 			i != list->end(); ++i)
 		{
-			if (i->string() != "..")
-				target.path /= i->string();
+			target.path /= i->string();
 		}
+		target.path = sanitize_path(target.path);
 		verify_encoding(target);
 		if (target.path.is_complete()) throw std::runtime_error("torrent contains "
 			"a file with an absolute path: '"
@@ -349,24 +395,9 @@ namespace libtorrent
 		else
 		{ m_name = info["name"].string(); }
 		
-		fs::path tmp = m_name;
-  		if (tmp.is_complete())
-  		{
- 			m_name = tmp.leaf();
-  		}
- 		else if (tmp.has_branch_path())
-  		{
- 			fs::path p;
- 			for (fs::path::iterator i = tmp.begin()
- 				, end(tmp.end()); i != end; ++i)
- 			{
- 				if (*i == "." || *i == "..") continue;
- 				p /= *i;
- 			}
- 			m_name = p.string();
- 		}
- 		if (m_name == ".." || m_name == ".")
- 			throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
+		m_name = sanitize_path(m_name).string();
+		if (!valid_path_element(m_name))
+			throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
 	
 		// extract file list
 		entry const* i = info.find_key("files");


Index: rb_libtorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rb_libtorrent/F-10/rb_libtorrent.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- rb_libtorrent.spec	6 Jan 2009 02:06:43 -0000	1.15
+++ rb_libtorrent.spec	14 Jun 2009 20:25:13 -0000	1.16
@@ -3,7 +3,7 @@
 
 Name:		rb_libtorrent
 Version:	0.13.1
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	A C++ BitTorrent library aiming to be the best alternative
 
 Group:		System Environment/Libraries
@@ -20,6 +20,8 @@ Source3:	%{name}-COPYING.zlib
 ## Message-Id: <1216701448.24546.11.camel at tuxhugs>
 Source4: 	%{name}-python-setup.py
 
+Patch0: 	%{name}-0.13-CVE-2009-1760.diff
+
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:	asio-devel
@@ -91,6 +93,7 @@ module) that allow it to be used from wi
 
 %prep
 %setup -q -n "libtorrent-rasterbar-%{version}"
+%patch0 -b .CVE-2009-1760
 ## The RST files are the sources used to create the final HTML files; and are
 ## not needed.
 rm -f docs/*.rst
@@ -187,6 +190,12 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Sun Jun 14 2009 Peter Gordon <peter at thecodergeek.com> - 0.13.1-5
+- Apply upstream patch to fix CVE-2009-1760 (arbitrary file overwrite
+  vulnerability):
+  + 0.13-CVE-2009-1760.diff
+- Fixes security bug #505523.
+
 * Mon Jan 05 2009 Peter Gordon <peter at thecodergeek.com> - 0.13.1-4
 - Add asio-devel as runtime dependency for the devel subpackage (#478589)
 


