20131 2009-05-21 16:51:26 +0400 CVE-2009-1759 "btFiles::BuildFromMI()" Buffer Overflow 2009-08-10 13:52:03 +0400 1 1 4 Development Sisyphus ctorrent unstable all Linux CLOSED FIXED http://secunia.com/advisories/34752/ security P3 blocker --- 1 crux grenka andrewclarkii grenka php-coder serpiph qa-sisyphus oldest_to_newest 91598 0 crux 2009-05-21 16:51:26 +0400 Обнаружена уязвимость в Enhanced CTorrent, которая теоретически позволяет выполнить произвольный код на целевой системе. Уязвимость вызвана ошибкой в проверке граничных условий в функции "btFiles::BuildFromMI()" в btfiles.cpp и может привести к переполнению буфера при открытии специально сформированного torrent-файла. Существует эксплойт: http://milw0rm.com/exploits/8470 (который, правда, не работает на ядрах 2.6.x) Исправление доступно в SVN: http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch 91600 1 3550 andrewclarkii 2009-05-21 17:43:26 +0400 Created attachment 3550 патч для устранения уязвимости 93275 2 serpiph 2009-06-18 21:18:02 +0400 А воз и ныне там... Ни обновления до новой версии, ни закрывания ошибки... 93281 3 thresh 2009-06-18 22:29:39 +0400 andyc@ вот-вот пройдет join@ и заберет этот пакет. 96044 4 andrewclarkii 2009-08-10 13:52:03 +0400 Пакет собран: http://git.altlinux.org/tasks/10531/task/log 2009-Aug-10 12:33:02 :: task #10531 for sisyphus started: #1 build 3.3.2-alt1 from /people/andyc/packages/ctorrent.git 2009-Aug-10 12:33:05 :: created pkg.tar for ctorrent.git tag 3.3.2-alt1 2009-Aug-10 12:33:07 :: [x86_64] ctorrent.git 3.3.2-alt1: build start 2009-Aug-10 12:33:07 :: [i586] ctorrent.git 3.3.2-alt1: build start 2009-Aug-10 12:33:56 :: [i586] ctorrent.git 3.3.2-alt1: build OK 2009-Aug-10 12:33:57 :: [x86_64] ctorrent.git 3.3.2-alt1: build OK 2009-Aug-10 12:33:59 :: build check OK 2009-Aug-10 12:34:00 :: plan OK 2009-Aug-10 12:34:00 :: version check OK 2009-Aug-10 12:34:13 :: created test repo 2009-Aug-10 12:34:23 :: dependencies check OK 2009-Aug-10 12:35:30 :: ELF symbols check OK 2009-Aug-10 12:35:44 :: install check OK 2009-Aug-10 12:35:44 :: gears inheritance check OK 2009-Aug-10 12:35:44 :: girar-check-perms: access to ctorrent ALLOWED for andyc: project is orphaned 2009-Aug-10 12:35:44 :: acl check OK 2009-Aug-10 12:35:44 :: packages update OK 2009-Aug-10 12:35:44 :: repo update OK 2009-Aug-10 12:35:56 :: contents_index update OK 2009-Aug-10 12:36:11 :: created /gears/c/ctorrent.git branch `sisyphus' 2009-Aug-10 12:36:19 :: gears update OK 2009-Aug-10 12:36:19 :: ACL for orphaned project `ctorrent' assigned to user `andyc' 2009-Aug-10 12:36:29 :: task #10531 for sisyphus COMPLETE 3550 2009-05-21 17:43:26 +0400 2009-05-21 17:43:26 +0400 патч для устранения уязвимости ctorrent-dnh3.3.2-security-fix.patch text/plain 2865 andrewclarkii SW5kZXg6IGJlbmNvZGUuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBiZW5jb2RlLmgJKHJldmlzaW9uIDMwMSkK KysrIGJlbmNvZGUuaAkocmV2aXNpb24gMzAyKQpAQCAtMjUsNyArMjUsNyBAQAogc2l6ZV90IGRl Y29kZV9saXN0KGNvbnN0IGNoYXIgKmIsc2l6ZV90IGxlbixjb25zdCBjaGFyICprZXlsaXN0KTsK IHNpemVfdCBkZWNvZGVfcmV2KGNvbnN0IGNoYXIgKmIsc2l6ZV90IGxlbixjb25zdCBjaGFyICpr ZXlsaXN0KTsKIHNpemVfdCBkZWNvZGVfcXVlcnkoY29uc3QgY2hhciAqYixzaXplX3QgbGVuLGNv bnN0IGNoYXIgKmtleWxpc3QsY29uc3QgY2hhciAqKnBzLHNpemVfdCAqcGksaW50NjRfdCAqcGws aW50IG1ldGhvZCk7Ci1zaXplX3QgZGVjb2RlX2xpc3QycGF0aChjb25zdCBjaGFyICpiLCBzaXpl X3QgbiwgY2hhciAqcGF0aG5hbWUpOworc2l6ZV90IGRlY29kZV9saXN0MnBhdGgoY29uc3QgY2hh ciAqYiwgc2l6ZV90IG4sIGNoYXIgKnBhdGhuYW1lLCBzaXplX3QgbWF4bGVuKTsKIHNpemVfdCBi ZW5jb2RlX2J1Zihjb25zdCBjaGFyICpzdHIsc2l6ZV90IGxlbixGSUxFICpmcCk7CiBzaXplX3Qg YmVuY29kZV9zdHIoY29uc3QgY2hhciAqc3RyLCBGSUxFICpmcCk7CiBzaXplX3QgYmVuY29kZV9p bnQoY29uc3QgdWludDY0X3QgaW50ZWdlciwgRklMRSAqZnApOwpJbmRleDogYmVuY29kZS5jcHAK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gYmVuY29kZS5jcHAJKHJldmlzaW9uIDMwMSkKKysrIGJlbmNvZGUuY3Bw CShyZXZpc2lvbiAzMDIpCkBAIC0yMzMsMjIgKzIzMywyOCBAQAogICByZXR1cm4gYmVuY29kZV9l bmRfZGljdF9saXN0KGZwKTsKIH0KIAotc2l6ZV90IGRlY29kZV9saXN0MnBhdGgoY29uc3QgY2hh ciAqYiwgc2l6ZV90IG4sIGNoYXIgKnBhdGhuYW1lKQorc2l6ZV90IGRlY29kZV9saXN0MnBhdGgo Y29uc3QgY2hhciAqYiwgc2l6ZV90IG4sIGNoYXIgKnBhdGhuYW1lLCBzaXplX3QgbWF4bGVuKQog ewogICBjb25zdCBjaGFyICpwYiA9IGI7CiAgIGNvbnN0IGNoYXIgKnMgPSAoY2hhciAqKSAwOwor ICBjb25zdCBjaGFyICplbmRtYXggPSBwYXRobmFtZSArIG1heGxlbiAtIDE7CiAgIHNpemVfdCBy LHE7CiAKICAgaWYoICdsJyAhPSAqcGIgKSByZXR1cm4gMDsKICAgcGIrKzsKICAgbi0tOwogICBp ZiggIW4gKSByZXR1cm4gMDsKLSAgZm9yKDsgbjspeworICB3aGlsZSggbiAmJiBwYXRobmFtZSA8 IGVuZG1heCApewogICAgIGlmKCEociA9IGJ1Zl9zdHIocGIsIG4sICZzLCAmcSkpICkgcmV0dXJu IDA7CisgICAgaWYoIHEgPj0gbWF4bGVuICkgcmV0dXJuIDA7CiAgICAgbWVtY3B5KHBhdGhuYW1l LCBzLCBxKTsKICAgICBwYXRobmFtZSArPSBxOwotICAgIHBiICs9IHI7IG4gLT0gcjsgCi0gICAg aWYoICdlJyAhPSAqcGIgKXsqcGF0aG5hbWUgPSBQQVRIX1NQLCBwYXRobmFtZSsrO30gZWxzZSBi cmVhazsKKyAgICBtYXhsZW4gLT0gcTsKKyAgICBwYiArPSByOworICAgIG4gLT0gcjsgCisgICAg aWYoICdlJyA9PSAqcGIgKSBicmVhazsKKyAgICBpZiggcGF0aG5hbWUgPj0gZW5kbWF4ICkgcmV0 dXJuIDA7CisgICAgKnBhdGhuYW1lKysgPSBQQVRIX1NQOwogICB9CiAgICpwYXRobmFtZSA9ICdc MCc7CiAgIHJldHVybiAocGIgLSBiICsgMSk7CkluZGV4OiBidGZpbGVzLmNwcAo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 Ci0tLSBidGZpbGVzLmNwcAkocmV2aXNpb24gMzAxKQorKysgYnRmaWxlcy5jcHAJKHJldmlzaW9u IDMwMikKQEAgLTQ3MSw2ICs0NzEsOCBAQAogICAgIEJURklMRSAqcGJmX2xhc3QgPSAoQlRGSUxF KikgMDsgCiAgICAgQlRGSUxFICpwYmYgPSAoQlRGSUxFKikgMDsKICAgICBzaXplX3QgZGw7Cisg ICAgdW5zaWduZWQgbG9uZyBuZmlsZXMgPSAwOworCiAgICAgaWYoIGRlY29kZV9xdWVyeShtZXRh YnVmLG1ldGFidWZfbGVuLCJpbmZvfGxlbmd0aCIsCiAgICAgICAgICAgICAgICAgICAgIChjb25z dCBjaGFyKiopIDAsKHNpemVfdCopIDAsKGludDY0X3QqKSAwLFFVRVJZX0xPTkcpICkKICAgICAg IHJldHVybiAtMTsKQEAgLTUyNCwxMiArNTI2LDE4IEBACiAjaWZuZGVmIFdJTkRPV1MKICAgICAg IGlmKCAhcGJmICkgcmV0dXJuIC0xOwogI2VuZGlmCisgICAgICBuZmlsZXMrKzsKICAgICAgIHBi Zi0+YmZfbGVuZ3RoID0gdDsKICAgICAgIG1fdG90YWxfZmlsZXNfbGVuZ3RoICs9IHQ7CiAgICAg ICByID0gZGVjb2RlX3F1ZXJ5KHAsIGRsLCAicGF0aCIsIChjb25zdCBjaGFyICoqKTAsICZuLCAo aW50NjRfdCopMCwKICAgICAgICAgICAgICAgICAgICAgICAgUVVFUllfUE9TKTsKLSAgICAgIGlm KCAhciApIHJldHVybiAtMTsKLSAgICAgIGlmKCFkZWNvZGVfbGlzdDJwYXRoKHAgKyByLCBuLCBw YXRoKSkgcmV0dXJuIC0xOworICAgICAgaWYoICFyIHx8ICFkZWNvZGVfbGlzdDJwYXRoKHAgKyBy LCBuLCBwYXRoLCBzaXplb2YocGF0aCkpICl7CisgICAgICAgIENPTlNPTEUuV2FybmluZygxLAor ICAgICAgICAgICJlcnJvciwgaW52YWxpZCBwYXRoIGluIHRvcnJlbnQgZGF0YSBmb3IgZmlsZSAl bHUgYXQgb2Zmc2V0ICVsbHUiLAorICAgICAgICAgIG5maWxlcywgbV90b3RhbF9maWxlc19sZW5n dGggLSB0KTsKKyAgICAgICAgZGVsZXRlIHBiZjsKKyAgICAgICAgcmV0dXJuIC0xOworICAgICAg fQogCiAgICAgICBpbnQgZl9jb252OwogICAgICAgY2hhciAqdG1wZm4gPSBuZXcgY2hhcltzdHJs ZW4ocGF0aCkqMis1XTsK