GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Fri Jul 17, 2009 7:26 am Post subject: [ GLSA 200907-14 ] Rasterbar libtorrent: Directory traversal |
 |
|
Gentoo Linux Security Advisory
Title: Rasterbar libtorrent: Directory traversal (GLSA 200907-14)
Severity: normal
Exploitable: remote
Date: July 17, 2009
Bug(s): #273156, #273961
ID: 200907-14
Synopsis
A directory traversal vulnerability in Rasterbar libtorrent might allow a remote attacker to overwrite arbitrary files.
Background
Rasterbar libtorrent is a C++ BitTorrent implementation focusing on efficiency and scalability. Deluge is a BitTorrent client that ships a copy of libtorrent.
Affected Packages
Package: net-libs/rb_libtorrent
Vulnerable: < 0.13-r1
Unaffected: >= 0.13-r1
Architectures: All supported architectures
Package: net-p2p/deluge
Vulnerable: < 1.1.9
Unaffected: >= 1.1.9
Architectures: All supported architectures
Description
census reported a directory traversal vulnerability in src/torrent_info.cpp that can be triggered via .torrent files.
Impact
A remote attacker could entice a user or automated system using Rasterbar libtorrent to load a specially crafted BitTorrent file to create or overwrite arbitrary files using dot dot sequences in filenames.
Workaround
There is no known workaround at this time.
Resolution
All Rasterbar libtorrent users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/rb_libtorrent-0.13-r1" |
All Deluge users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.1.9" |
References
CVE-2009-1760 |
|
News & Announcements
