diff --git a/rb_libtorrent-0.12-CVE-2009-1760.diff b/rb_libtorrent-0.12-CVE-2009-1760.diff new file mode 100644 index 0000000..6a14a25 --- /dev/null +++ b/rb_libtorrent-0.12-CVE-2009-1760.diff @@ -0,0 +1,75 @@ +diff -U0 ./ChangeLog.old ./ChangeLog +--- ./ChangeLog.old 2009-06-14 14:31:31.659446202 -0700 ++++ ./ChangeLog 2009-06-14 14:31:48.369321893 -0700 +@@ -2,0 +3 @@ ++ * fixed torrent file path vulnerability +diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp +--- ./src/torrent_info.cpp.old 2009-06-14 14:31:38.315506116 -0700 ++++ ./src/torrent_info.cpp 2009-06-14 14:43:22.349322362 -0700 +@@ -37,6 +37,8 @@ POSSIBILITY OF SUCH DAMAGE. + #include + #include + #include ++#include ++#include + + #ifdef _MSC_VER + #pragma warning(push, 1) +@@ -68,6 +69,30 @@ namespace + str += 0x80 | (chr & 0x3f); + } + ++ bool valid_path_element(std::string const& element) ++ { ++ if (element.empty() ++ || element == "." || element == ".." ++ || element[0] == '/' || element[0] == '\\' ++ || element[element.size()-1] == ':') ++ return false; ++ return true; ++ } ++ ++ namespace fs = boost::filesystem; ++ fs::path sanitize_path(fs::path const& p) ++ { ++ fs::path new_path; ++ for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i) ++ { ++ if (!valid_path_element(*i)) continue; ++ std::string pe = *i; ++ new_path /= pe; ++ } ++ assert(!new_path.is_complete()); ++ return new_path; ++ } ++ + void verify_encoding(file_entry& target) + { + std::string tmp_path; +@@ -178,9 +202,9 @@ namespace + for (entry::list_type::const_iterator i = list->begin(); + i != list->end(); ++i) + { +- if (i->string() != "..") +- target.path /= i->string(); ++ target.path /= i->string(); + } ++ target.path = sanitize_path(target.path); + verify_encoding(target); + if (target.path.is_complete()) throw std::runtime_error("torrent contains " + "a file with an absolute path: '" +@@ -310,11 +334,9 @@ namespace libtorrent + else + { m_name = info["name"].string(); } + +- path tmp = m_name; +- if (tmp.is_complete()) throw std::runtime_error("torrent contains " +- "a file with an absolute path: '" + m_name + "'"); +- if (tmp.has_branch_path()) throw std::runtime_error( +- "torrent contains name with directories: '" + m_name + "'"); ++ m_name = sanitize_path(m_name).string(); ++ if (!valid_path_element(m_name)) ++ throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)"); + + // extract file list + entry const* i = info.find_key("files"); diff --git a/rb_libtorrent.spec b/rb_libtorrent.spec index ee2b187..1b635ec 100644 --- a/rb_libtorrent.spec +++ b/rb_libtorrent.spec @@ -1,6 +1,6 @@ Name: rb_libtorrent Version: 0.12.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A C++ BitTorrent library aiming to be the best alternative Group: System Environment/Libraries @@ -13,6 +13,7 @@ Source2: %{name}-COPYING.Boost Source3: %{name}-COPYING.zlib Patch0: %{name}-gcc43.patch +Patch1: %{name}-0.12-CVE-2009-1760.diff BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -41,6 +42,7 @@ Requires: pkgconfig ## Same pkgconfig file, and unsuffixed shared library symlink. :( Conflicts: libtorrent-devel ## Needed for various headers used via #include directives... +Requires: asio-devel Requires: boost-devel Requires: openssl-devel @@ -71,6 +73,7 @@ included documentation for more details.) %prep %setup -q -n "libtorrent-%{version}" %patch0 -p0 -b .gcc43 +%patch1 -p0 -b .CVE-2009-1760 ## Some of the sources and docs are executable, which makes rpmlint against ## the resulting -debuginfo and -devel packages, respectively, quite angry. :] find src/ docs/ -type f -exec chmod a-x '{}' \; @@ -146,6 +149,13 @@ rm -rf %{buildroot} %changelog +* Sun Jun 14 2009 Peter Gordon - 0.12.1-2 +- Apply backported upstream patch to fix CVE-2009-1760 (arbitrary file + overwrite vulnerability): + + 0.12-CVE-2009-1760.diff +- Fixes security bug #505523. +- Add asio-devel as runtime dependency for the devel subpackage (#478589) + * Sat Feb 09 2008 Peter Gordon - 0.12.1-1 - Update to new upstream bug-fix release (0.12.1) - Rebuild for GCC 4.3