Bug 34459 - rpc session-id mechanism design flaw results in RCE
Summary: rpc session-id mechanism design flaw results in RCE
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: transmission (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Anton Farygin
QA Contact: qa-sisyphus
URL: http://www.openwall.com/lists/oss-sec...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-14 22:49 MSK by Dmitry V. Levin
Modified: 2018-01-18 21:21 MSK (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry V. Levin 2018-01-14 22:49:03 MSK 
Insecure RPC handling between the transmission daemon and the client interfaces may result in the execution of arbitrary code if a user visits a malicious website while transmission is running.
Comment 1 Repository Robot 2018-01-15 14:16:56 MSK 
transmission-2.92-alt5.S1 -> sisyphus:

Mon Jan 15 2018 Anton Farygin <rider@altlinux.ru> 2.92-alt5.S1
- added fix for security flaw in RPC (closes: #34459)
Comment 2 Michael Shigorin 2018-01-18 16:58:29 MSK 
Просьба сбэкпортить исправление в p8.
Comment 3 Anton Farygin 2018-01-18 21:21:56 MSK 
уже.