tags 700234 + pending
thanks
Dear maintainer,
as requested, I've prepared an NMU for transmission (versioned as
2.52-3+nmu1) and uploaded it to unstable.
Note that I haven’t commited the changes to git, because the repository
includes not-yet-uploaded changes in the wheezy branch and I don’t know
how you want to handle them.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `'
`-
diff -Nru transmission-2.52/debian/changelog transmission-2.52/debian/changelog
--- transmission-2.52/debian/changelog 2012-07-31 13:26:49.000000000 +0200
+++ transmission-2.52/debian/changelog 2013-02-14 19:41:15.000000000 +0100
@@ -1,3 +1,12 @@
+transmission (2.52-3+nmu1) unstable; urgency=medium
+
+ * Non-maintainer upload with maintainer’s permission.
+ * CVE-2012-6129_libutp_crash.patch: SECURITY - backport upstream
+ commit r13646 to fix a crasher that could be exploited remotely.
+ * Closes: #700234, CVE-2012-6129.
+
+ -- Josselin Mouette <j...@debian.org> Thu, 14 Feb 2013 19:41:13 +0100
+
transmission (2.52-3) unstable; urgency=high (fixes CVE-2012-4037)
* [5b2ca219] backport fix to XSS in web client from 2.61 (CVE-2012-4037)
diff -Nru transmission-2.52/debian/patches/CVE-2012-6129_libutp_crash.patch transmission-2.52/debian/patches/CVE-2012-6129_libutp_crash.patch
--- transmission-2.52/debian/patches/CVE-2012-6129_libutp_crash.patch 1970-01-01 01:00:00.000000000 +0100
+++ transmission-2.52/debian/patches/CVE-2012-6129_libutp_crash.patch 2013-02-10 11:00:58.000000000 +0100
@@ -0,0 +1,44 @@
+Index: trunk/third-party/libutp/utp.cpp
+===================================================================
+--- trunk/third-party/libutp/utp.cpp (revision 13645)
++++ trunk/third-party/libutp/utp.cpp (revision 13646)
+@@ -1488,4 +1488,6 @@
+ }
+
++enum { MAX_EACK = 128 };
++
+ void UTPSocket::selective_ack(uint base, const byte *mask, byte len)
+ {
+@@ -1500,5 +1502,5 @@
+ // iterate in reverse over the acked packets, at the end, the top packets
+ // are the ones we want to resend
+- int resends[32];
++ int resends[MAX_EACK];
+ int nr = 0;
+
+@@ -1573,4 +1575,10 @@
+ count >= DUPLICATE_ACKS_BEFORE_RESEND &&
+ duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
++ // resends is a stack, and we're mostly interested in the top of it
++ // if we're full, just throw away the lower half
++ if (nr >= MAX_EACK - 2) {
++ memmove(resends, &resends[MAX_EACK/2], MAX_EACK/2 * sizeof(resends[0]));
++ nr -= MAX_EACK / 2;
++ }
+ resends[nr++] = v;
+ LOG_UTPV("0x%08x: no ack for %u", this, v);
+@@ -1581,11 +1589,10 @@
+ } while (--bits >= -1);
+
+- if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) < 256 &&
+- count >= DUPLICATE_ACKS_BEFORE_RESEND &&
+- duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) {
++ if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE &&
++ count >= DUPLICATE_ACKS_BEFORE_RESEND) {
+ // if we get enough duplicate acks to start
+ // resending, the first packet we should resend
+ // is base-1
+- resends[nr++] = base - 1;
++ resends[nr++] = (base - 1) & ACK_NR_MASK;
+ } else {
+ LOG_UTPV("0x%08x: not resending %u count:%d dup_ack:%u fast_resend_seq_nr:%u",
diff -Nru transmission-2.52/debian/patches/series transmission-2.52/debian/patches/series
--- transmission-2.52/debian/patches/series 2012-07-31 12:55:29.000000000 +0200
+++ transmission-2.52/debian/patches/series 2013-02-14 19:39:51.000000000 +0100
@@ -1,2 +1,3 @@
fix_xss_web_client.patch
fix_magnet_seed_status.patch
+CVE-2012-6129_libutp_crash.patch
