rpms/rb_libtorrent/F-9 rb_libtorrent-0.12-CVE-2009-1760.diff, NONE, 1.1 rb_libtorrent.spec, 1.10, 1.11

Mon Jun 15 09:02:34 UTC 2009

Author: pgordon

Update of /cvs/pkgs/rpms/rb_libtorrent/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv495

Modified Files:
	rb_libtorrent.spec 
Added Files:
	rb_libtorrent-0.12-CVE-2009-1760.diff 
Log Message:
Apply backported upstream patcDh for CVE-2009-1760; also add asio-devel to the devel subpackage Requires.

rb_libtorrent-0.12-CVE-2009-1760.diff:

--- NEW FILE rb_libtorrent-0.12-CVE-2009-1760.diff ---
diff -U0 ./ChangeLog.old ./ChangeLog
--- ./ChangeLog.old	2009-06-14 14:31:31.659446202 -0700
+++ ./ChangeLog	2009-06-14 14:31:48.369321893 -0700
@@ -2,0 +3 @@
+	* fixed torrent file path vulnerability
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- ./src/torrent_info.cpp.old	2009-06-14 14:31:38.315506116 -0700
+++ ./src/torrent_info.cpp	2009-06-14 14:43:22.349322362 -0700
@@ -37,6 +37,8 @@ POSSIBILITY OF SUCH DAMAGE.
 #include <iterator>
 #include <algorithm>
 #include <set>
+#include <string>
+#include <cassert>
 
 #ifdef _MSC_VER
 #pragma warning(push, 1)
@@ -68,6 +69,30 @@ namespace
 		str += 0x80 | (chr & 0x3f);
 	}
 
+	bool valid_path_element(std::string const& element)
+	{
+		if (element.empty()
+			|| element == "." || element == ".."
+			|| element[0] == '/' || element[0] == '\\'
+			|| element[element.size()-1] == ':')
+			return false;
+		return true;
+	}
+
+	namespace fs = boost::filesystem;
+	fs::path sanitize_path(fs::path const& p)
+	{
+		fs::path new_path;
+		for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+		{
+			if (!valid_path_element(*i)) continue;
+			std::string pe = *i;
+			new_path /= pe;
+		}
+		assert(!new_path.is_complete());
+		return new_path;
+	}
+
 	void verify_encoding(file_entry& target)
 	{
 		std::string tmp_path;
@@ -178,9 +202,9 @@ namespace
 		for (entry::list_type::const_iterator i = list->begin();
 			i != list->end(); ++i)
 		{
-			if (i->string() != "..")
-				target.path /= i->string();
+			target.path /= i->string();
 		}
+		target.path = sanitize_path(target.path);
 		verify_encoding(target);
 		if (target.path.is_complete()) throw std::runtime_error("torrent contains "
 			"a file with an absolute path: '"
@@ -310,11 +334,9 @@ namespace libtorrent
 		else
 		{ m_name = info["name"].string(); }
 		
-		path tmp = m_name;
-		if (tmp.is_complete()) throw std::runtime_error("torrent contains "
-			"a file with an absolute path: '" + m_name + "'");
-		if (tmp.has_branch_path()) throw std::runtime_error(
-			"torrent contains name with directories: '" + m_name + "'");
+		m_name = sanitize_path(m_name).string();
+		if (!valid_path_element(m_name))
+			throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
 	
 		// extract file list
 		entry const* i = info.find_key("files");


Index: rb_libtorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rb_libtorrent/F-9/rb_libtorrent.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- rb_libtorrent.spec	15 Feb 2008 07:00:08 -0000	1.10
+++ rb_libtorrent.spec	15 Jun 2009 09:02:04 -0000	1.11
@@ -1,6 +1,6 @@
 Name:		rb_libtorrent
 Version:	0.12.1
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	A C++ BitTorrent library aiming to be the best alternative
 
 Group:		System Environment/Libraries
@@ -13,6 +13,7 @@ Source2:	%{name}-COPYING.Boost
 Source3:	%{name}-COPYING.zlib
 
 Patch0: 	%{name}-gcc43.patch
+Patch1: 	%{name}-0.12-CVE-2009-1760.diff
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -41,6 +42,7 @@ Requires:	pkgconfig
 ## Same pkgconfig file, and unsuffixed shared library symlink. :(
 Conflicts:	libtorrent-devel
 ## Needed for various headers used via #include directives...
+Requires:	asio-devel
 Requires:	boost-devel
 Requires:	openssl-devel
 
@@ -71,6 +73,7 @@ included documentation for more details.
 %prep
 %setup -q -n "libtorrent-%{version}"
 %patch0 -p0 -b .gcc43
+%patch1 -p0 -b .CVE-2009-1760
 ## Some of the sources and docs are executable, which makes rpmlint against
 ## the resulting -debuginfo and -devel packages, respectively, quite angry. :]
 find src/ docs/ -type f -exec chmod a-x '{}' \;
@@ -146,6 +149,13 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Sun Jun 14 2009 Peter Gordon <peter at thecodergeek.com> - 0.12.1-2
+- Apply backported upstream patch to fix CVE-2009-1760 (arbitrary file
+  overwrite vulnerability):
+  + 0.12-CVE-2009-1760.diff
+- Fixes security bug #505523.
+- Add asio-devel as runtime dependency for the devel subpackage (#478589)
+
 * Sat Feb 09 2008 Peter Gordon <peter at thecodergeek.com> - 0.12.1-1
 - Update to new upstream bug-fix release (0.12.1)
 - Rebuild for GCC 4.3


