Bug 20131 - CVE-2009-1759 "btFiles::BuildFromMI()" Buffer Overflow
Summary: CVE-2009-1759 "btFiles::BuildFromMI()" Buffer Overflow
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: ctorrent (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: Grigory Ustinov
QA Contact: qa-sisyphus
URL: http://secunia.com/advisories/34752/
Keywords: security
Depends on:
Blocks:
 
Reported: 2009-05-21 16:51 MSD by Vladimir Lettiev
Modified: 2009-08-10 13:52 MSD (History)
4 users (show)

See Also:

Attachments
патч для устранения уязвимости (2.80 KB, patch)
2009-05-21 17:43 MSD, Andrew Clark 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-05-21 16:51:26 MSD 
Обнаружена уязвимость в Enhanced CTorrent, которая теоретически позволяет выполнить произвольный код на целевой системе.
Уязвимость вызвана ошибкой в проверке граничных условий в функции "btFiles::BuildFromMI()" в btfiles.cpp и может привести к переполнению буфера
при открытии специально сформированного torrent-файла.

Существует эксплойт: http://milw0rm.com/exploits/8470 (который, правда, не работает на ядрах 2.6.x)

Исправление доступно в SVN: http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch
Comment 1 Andrew Clark 2009-05-21 17:43:26 MSD 
Created attachment 3550 [details]
патч для устранения уязвимости
Comment 2 serpiph 2009-06-18 21:18:02 MSD 
А воз и ныне там... Ни обновления до новой версии, ни закрывания ошибки...
Comment 3 Konstantin Pavlov 2009-06-18 22:29:39 MSD 
andyc@ вот-вот пройдет join@ и заберет этот пакет.
Comment 4 Andrew Clark 2009-08-10 13:52:03 MSD 
Пакет собран:
http://git.altlinux.org/tasks/10531/task/log

2009-Aug-10 12:33:02 :: task #10531 for sisyphus started:
#1 build 3.3.2-alt1 from /people/andyc/packages/ctorrent.git
2009-Aug-10 12:33:05 :: created pkg.tar for ctorrent.git tag 3.3.2-alt1
2009-Aug-10 12:33:07 :: [x86_64] ctorrent.git 3.3.2-alt1: build start
2009-Aug-10 12:33:07 :: [i586] ctorrent.git 3.3.2-alt1: build start
2009-Aug-10 12:33:56 :: [i586] ctorrent.git 3.3.2-alt1: build OK
2009-Aug-10 12:33:57 :: [x86_64] ctorrent.git 3.3.2-alt1: build OK
2009-Aug-10 12:33:59 :: build check OK
2009-Aug-10 12:34:00 :: plan OK
2009-Aug-10 12:34:00 :: version check OK
2009-Aug-10 12:34:13 :: created test repo
2009-Aug-10 12:34:23 :: dependencies check OK
2009-Aug-10 12:35:30 :: ELF symbols check OK
2009-Aug-10 12:35:44 :: install check OK
2009-Aug-10 12:35:44 :: gears inheritance check OK
2009-Aug-10 12:35:44 :: girar-check-perms: access to ctorrent ALLOWED for andyc: project is orphaned
2009-Aug-10 12:35:44 :: acl check OK
2009-Aug-10 12:35:44 :: packages update OK
2009-Aug-10 12:35:44 :: repo update OK
2009-Aug-10 12:35:56 :: contents_index update OK
2009-Aug-10 12:36:11 :: created /gears/c/ctorrent.git branch `sisyphus'
2009-Aug-10 12:36:19 :: gears update OK
2009-Aug-10 12:36:19 :: ACL for orphaned project `ctorrent' assigned to user `andyc'
2009-Aug-10 12:36:29 :: task #10531 for sisyphus COMPLETE