Your message dated Thu, 14 Feb 2013 19:17:58 +0000 with message-id <e1u64ji-0001ox...@franck.debian.org> and subject line Bug#700234: fixed in transmission 2.52-3+nmu1 has caused the Debian Bug report #700234, regarding transmission-daemon: CVE-2012-6129: Transmission can be made to crash remotely to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700234: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700234 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: transmission-daemon Version: 2.52-3 Severity: grave Tags: security patch upstream Justification: user security hole The transmission-daemon package in wheezy crashes regularly. According to upstream this is a remote security hole (at least a remote DoS, but most probably there is a way to take control of the process). https://trac.transmissionbt.com/ticket/5044 https://trac.transmissionbt.com/ticket/5002 Apparently there is no CVE assigned. The bug is fixed upstream and I’m attaching the patch. I’m currently testing a patched package, and will report whether the fix is sufficient. Cheers, -- .''`. Josselin Mouette : :' : `. `' `-Index: trunk/third-party/libutp/utp.cpp =================================================================== --- trunk/third-party/libutp/utp.cpp (revision 13645) +++ trunk/third-party/libutp/utp.cpp (revision 13646) @@ -1488,4 +1488,6 @@ } +enum { MAX_EACK = 128 }; + void UTPSocket::selective_ack(uint base, const byte *mask, byte len) { @@ -1500,5 +1502,5 @@ // iterate in reverse over the acked packets, at the end, the top packets // are the ones we want to resend - int resends[32]; + int resends[MAX_EACK]; int nr = 0; @@ -1573,4 +1575,10 @@ count >= DUPLICATE_ACKS_BEFORE_RESEND && duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) { + // resends is a stack, and we're mostly interested in the top of it + // if we're full, just throw away the lower half + if (nr >= MAX_EACK - 2) { + memmove(resends, &resends[MAX_EACK/2], MAX_EACK/2 * sizeof(resends[0])); + nr -= MAX_EACK / 2; + } resends[nr++] = v; LOG_UTPV("0x%08x: no ack for %u", this, v); @@ -1581,11 +1589,10 @@ } while (--bits >= -1); - if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) < 256 && - count >= DUPLICATE_ACKS_BEFORE_RESEND && - duplicate_ack < DUPLICATE_ACKS_BEFORE_RESEND) { + if (((base - 1 - fast_resend_seq_nr) & ACK_NR_MASK) <= OUTGOING_BUFFER_MAX_SIZE && + count >= DUPLICATE_ACKS_BEFORE_RESEND) { // if we get enough duplicate acks to start // resending, the first packet we should resend // is base-1 - resends[nr++] = base - 1; + resends[nr++] = (base - 1) & ACK_NR_MASK; } else { LOG_UTPV("0x%08x: not resending %u count:%d dup_ack:%u fast_resend_seq_nr:%u",
--- End Message ---
--- Begin Message ---Source: transmission Source-Version: 2.52-3+nmu1 We believe that the bug you reported is fixed in the latest version of transmission, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Josselin Mouette <j...@debian.org> (supplier of updated transmission package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 14 Feb 2013 19:41:13 +0100 Source: transmission Binary: transmission transmission-common transmission-dbg transmission-cli transmission-gtk transmission-qt transmission-daemon Architecture: source all amd64 Version: 2.52-3+nmu1 Distribution: unstable Urgency: medium Maintainer: Leo Costela <cost...@debian.org> Changed-By: Josselin Mouette <j...@debian.org> Description: transmission - lightweight BitTorrent client transmission-cli - lightweight BitTorrent client (command line programs) transmission-common - lightweight BitTorrent client (common files) transmission-daemon - lightweight BitTorrent client (daemon) transmission-dbg - lightweight BitTorrent client (debug symbols) transmission-gtk - lightweight BitTorrent client (GTK interface) transmission-qt - lightweight BitTorrent client (Qt interface) Closes: 700234 Changes: transmission (2.52-3+nmu1) unstable; urgency=medium . * Non-maintainer upload with maintainer’s permission. * CVE-2012-6129_libutp_crash.patch: SECURITY - backport upstream commit r13646 to fix a crasher that could be exploited remotely. * Closes: #700234, CVE-2012-6129. Checksums-Sha1: f4cefe60c01c8574e630313bf0e7f4b2892ca091 1861 transmission_2.52-3+nmu1.dsc f987f6695c4d38437de17fe4c91085d6b203973b 20667 transmission_2.52-3+nmu1.debian.tar.bz2 b3aa8f0271929b8d242c4f174a6dc777675d861f 1088 transmission_2.52-3+nmu1_all.deb eb958f32926a9b4ff195967f7b73fd444bb989ad 291580 transmission-common_2.52-3+nmu1_all.deb bbb88bc76cb611f80eb3319de4b99e96e0f87324 12810198 transmission-dbg_2.52-3+nmu1_amd64.deb 9a974b226c20cf8d058774e1cdb903e185eadec7 1152450 transmission-cli_2.52-3+nmu1_amd64.deb c5300957108761c57e69a6b70ac074d41c28da82 1156996 transmission-gtk_2.52-3+nmu1_amd64.deb 7bc899b7c772d83f7eb847a91704455b05a853b8 616066 transmission-qt_2.52-3+nmu1_amd64.deb e572f94893589416fe949649bee80539b7fccd88 234428 transmission-daemon_2.52-3+nmu1_amd64.deb Checksums-Sha256: e57bfc16613c3914e1ca02c37d0878e23670a4370d1d428df50ca2c13ca853af 1861 transmission_2.52-3+nmu1.dsc f62cc4b5fc8ceb872a62c258451a1c3515a48220c01e96f091dcbabe974bf1e8 20667 transmission_2.52-3+nmu1.debian.tar.bz2 19787c55637f1828e86f7bb4fc36de6c4bbc302f5f0af2479223de01b8e12e46 1088 transmission_2.52-3+nmu1_all.deb c5516ed582822e5c77915e2f4150d45a865ec830eac5d2d4167fde4ba62b1928 291580 transmission-common_2.52-3+nmu1_all.deb bb7e2f28280af87c8784c78ee975c8d9d5e9f38946b555864bf10a4e17a68219 12810198 transmission-dbg_2.52-3+nmu1_amd64.deb 4bad3403756d94f926e2a42363ffe53f96b8105a7b0b570785d95dccb79ab49c 1152450 transmission-cli_2.52-3+nmu1_amd64.deb 0aa8b8e75fc93da54773e16db2a21026a3de6e487a0cdb1320c31ff718c0b97a 1156996 transmission-gtk_2.52-3+nmu1_amd64.deb 41d638191ed5fe5de8fbea4b67117463cd83a5f32416246aa7a6b04c846de8ac 616066 transmission-qt_2.52-3+nmu1_amd64.deb c3b96855cf74c2bcee31cf30ffd797cc737ac57a1182abd6fd165bf79503ca79 234428 transmission-daemon_2.52-3+nmu1_amd64.deb Files: e002fb148b32ec66e719ee28c98830ce 1861 net optional transmission_2.52-3+nmu1.dsc b701fba8e2fa3bf5932998eece124f02 20667 net optional transmission_2.52-3+nmu1.debian.tar.bz2 1b6cf63cf7b313c0620562a8f51baa0d 1088 net optional transmission_2.52-3+nmu1_all.deb d343d1c3a849f0d4dd76bb5ef36f53fc 291580 net optional transmission-common_2.52-3+nmu1_all.deb 93eb456bb358cbb70945d3200c77d880 12810198 debug extra transmission-dbg_2.52-3+nmu1_amd64.deb 4bfe80b7cba8a97225bef7b29b74e66f 1152450 net optional transmission-cli_2.52-3+nmu1_amd64.deb d6ef6012e1afcad9b2ad37b26a0d2f52 1156996 net optional transmission-gtk_2.52-3+nmu1_amd64.deb 05f0be4d52cf989a0ad99fffdc2fee6b 616066 net optional transmission-qt_2.52-3+nmu1_amd64.deb facaebc2bc203353b588969779654df7 234428 net optional transmission-daemon_2.52-3+nmu1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRHTSBrSla4ddfhTMRArKcAJ4wXG0rigPflw8hv9Ycx/7cOhIsMgCfZXxs 5ZUrZeaFkR5y30FreqSOYKw= =B1uX -----END PGP SIGNATURE-----
--- End Message ---
