[Secure-testing-team] Bug#576331: Transmission 1.92 fixes two security issues

Moritz Muehlenhoff jmm at debian.org
Sat Apr 3 12:26:46 UTC 2010 

Package: transmission
Severity: grave
Tags: security

The message below was reported on oss-security. CVE-2010-0749 seems
like a regular bug to me, not necessarily security-relevant, but
please upload transmission 1.92 ASAP. 

Lenny isn't affected, it doesn't have support for Magnet links yet.

On a side note: Given that most Bittorrent trackers seem to block
older clients, I think we should change the update policy for Squeeze
and always introduce the recent version in stable point updates.
What do you think?

Cheers,
        Moritz

>    Transmission upstream has recently released latest, v1.92 version:
>      [1] http://trac.transmissionbt.com/wiki/Changes
>
>    fixing one (potentially two) security issues:
>      a, Fix potential buffer overflow when adding maliciously-crafted
>      magnet links
>
>    References:
>      [2] http://trac.transmissionbt.com/ticket/2965
>      [3] http://trac.transmissionbt.com/wiki/Changes
>      [4] http://bugs.gentoo.org/show_bug.cgi?id=309831

> Use CVE-2010-0748 for this one. I'm calling it an arbitrary memory write.
> It's not really a buffer overflow.

>      b, Fix possible data corruption issue caused by data sent by bad
>      peers during endgame (this one I am not completely sure of, but when
>      looking at the relevant bug record:
>      [5] http://trac.transmissionbt.com/ticket/1242
>          there is written:
>      [6] http://trac.transmissionbt.com/ticket/1242#comment:1
>          "My theory is that for some reason Transmission will download a
>          corrupt part from someone but not realize it until you do a
>          manual verify. At this point T will recognize the bad part and
>          redownload it from the same person, which just causes the
>          problem again."
>
>          so to prevent someone from successfully downloading content of
>          some torrent file, for an attacker to should be enough to
>          download a part of it, corrupt it and
>          share it. Not sure about the algorithm, Transmission decides
>          which torrent
>          to retrieve content from, but if it is deterministic /
>          predictable behavior / algorithm, such attack could succeed).
>
>    References:
>      [7] http://trac.transmissionbt.com/ticket/1242
>      [8] http://trac.transmissionbt.com/ticket/1242#comment:1
>      [9] http://trac.transmissionbt.com/wiki/Changes
>

> I'm giving this issue a CVE ID too. I think this issue is a bit on the
> fence, but given a malicious client could corrupt download data in a manner
> that is hard to fix, it should get one.

> Use CVE-2010-0749

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages transmission depends on:
pn  transmission-cli              <none>     (no description available)
pn  transmission-common           <none>     (no description available)
pn  transmission-gtk              <none>     (no description available)

transmission recommends no packages.

transmission suggests no packages.

More information about the Secure-testing-team mailing list