rpms/rb_libtorrent/F-9 rb_libtorrent-0.12-CVE-2009-1760.diff, NONE, 1.1 rb_libtorrent.spec, 1.10, 1.11
Peter Gordon
pgordon at fedoraproject.org
Mon Jun 15 09:02:34 UTC 2009
Author: pgordon
Update of /cvs/pkgs/rpms/rb_libtorrent/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv495
Modified Files:
rb_libtorrent.spec
Added Files:
rb_libtorrent-0.12-CVE-2009-1760.diff
Log Message:
Apply backported upstream patcDh for CVE-2009-1760; also add asio-devel to the devel subpackage Requires.
rb_libtorrent-0.12-CVE-2009-1760.diff:
--- NEW FILE rb_libtorrent-0.12-CVE-2009-1760.diff ---
diff -U0 ./ChangeLog.old ./ChangeLog
--- ./ChangeLog.old 2009-06-14 14:31:31.659446202 -0700
+++ ./ChangeLog 2009-06-14 14:31:48.369321893 -0700
@@ -2,0 +3 @@
+ * fixed torrent file path vulnerability
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- ./src/torrent_info.cpp.old 2009-06-14 14:31:38.315506116 -0700
+++ ./src/torrent_info.cpp 2009-06-14 14:43:22.349322362 -0700
@@ -37,6 +37,8 @@ POSSIBILITY OF SUCH DAMAGE.
#include <iterator>
#include <algorithm>
#include <set>
+#include <string>
+#include <cassert>
#ifdef _MSC_VER
#pragma warning(push, 1)
@@ -68,6 +69,30 @@ namespace
str += 0x80 | (chr & 0x3f);
}
+ bool valid_path_element(std::string const& element)
+ {
+ if (element.empty()
+ || element == "." || element == ".."
+ || element[0] == '/' || element[0] == '\\'
+ || element[element.size()-1] == ':')
+ return false;
+ return true;
+ }
+
+ namespace fs = boost::filesystem;
+ fs::path sanitize_path(fs::path const& p)
+ {
+ fs::path new_path;
+ for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+ {
+ if (!valid_path_element(*i)) continue;
+ std::string pe = *i;
+ new_path /= pe;
+ }
+ assert(!new_path.is_complete());
+ return new_path;
+ }
+
void verify_encoding(file_entry& target)
{
std::string tmp_path;
@@ -178,9 +202,9 @@ namespace
for (entry::list_type::const_iterator i = list->begin();
i != list->end(); ++i)
{
- if (i->string() != "..")
- target.path /= i->string();
+ target.path /= i->string();
}
+ target.path = sanitize_path(target.path);
verify_encoding(target);
if (target.path.is_complete()) throw std::runtime_error("torrent contains "
"a file with an absolute path: '"
@@ -310,11 +334,9 @@ namespace libtorrent
else
{ m_name = info["name"].string(); }
- path tmp = m_name;
- if (tmp.is_complete()) throw std::runtime_error("torrent contains "
- "a file with an absolute path: '" + m_name + "'");
- if (tmp.has_branch_path()) throw std::runtime_error(
- "torrent contains name with directories: '" + m_name + "'");
+ m_name = sanitize_path(m_name).string();
+ if (!valid_path_element(m_name))
+ throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
// extract file list
entry const* i = info.find_key("files");
Index: rb_libtorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/rb_libtorrent/F-9/rb_libtorrent.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- rb_libtorrent.spec 15 Feb 2008 07:00:08 -0000 1.10
+++ rb_libtorrent.spec 15 Jun 2009 09:02:04 -0000 1.11
@@ -1,6 +1,6 @@
Name: rb_libtorrent
Version: 0.12.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A C++ BitTorrent library aiming to be the best alternative
Group: System Environment/Libraries
@@ -13,6 +13,7 @@ Source2: %{name}-COPYING.Boost
Source3: %{name}-COPYING.zlib
Patch0: %{name}-gcc43.patch
+Patch1: %{name}-0.12-CVE-2009-1760.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -41,6 +42,7 @@ Requires: pkgconfig
## Same pkgconfig file, and unsuffixed shared library symlink. :(
Conflicts: libtorrent-devel
## Needed for various headers used via #include directives...
+Requires: asio-devel
Requires: boost-devel
Requires: openssl-devel
@@ -71,6 +73,7 @@ included documentation for more details.
%prep
%setup -q -n "libtorrent-%{version}"
%patch0 -p0 -b .gcc43
+%patch1 -p0 -b .CVE-2009-1760
## Some of the sources and docs are executable, which makes rpmlint against
## the resulting -debuginfo and -devel packages, respectively, quite angry. :]
find src/ docs/ -type f -exec chmod a-x '{}' \;
@@ -146,6 +149,13 @@ rm -rf %{buildroot}
%changelog
+* Sun Jun 14 2009 Peter Gordon <peter at thecodergeek.com> - 0.12.1-2
+- Apply backported upstream patch to fix CVE-2009-1760 (arbitrary file
+ overwrite vulnerability):
+ + 0.12-CVE-2009-1760.diff
+- Fixes security bug #505523.
+- Add asio-devel as runtime dependency for the devel subpackage (#478589)
+
* Sat Feb 09 2008 Peter Gordon <peter at thecodergeek.com> - 0.12.1-1
- Update to new upstream bug-fix release (0.12.1)
- Rebuild for GCC 4.3
More information about the scm-commits
mailing list