Bug 139635 - [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759
Summary: [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Florent Thoumie
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-15 09:50 UTC by Eygene Ryabinkin
Modified: 2009-10-29 14:30 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-10-15 09:50:00 UTC
From the CVE entry [1]:
-----
Stack-based buffer overflow in the btFiles::BuildFromMI function
(trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and
probably earlier, and CTorrent 1.3.4, allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
Torrent file containing a long path.
-----

Fix: The following patch updates the port and adds the patch from the vendor.
It was promised that this patch will be integrated into 3.3.3.


Patched port works for me.

The following VuXML entry should be evaluated and added:
  <vuln vid="83d7d149-b965-11de-a515-0022156e8794">
    <topic>Enhanced cTorrent -- stack-based overflow</topic>
    <affects>
      <package>
        <name>ctorrent</name>
        <range><lt>3.3.2_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Securityfocus reports:</p>
        <blockquote
          cite="http://www.securityfocus.com/bid/34584">
          <p>cTorrent and dTorrent are prone to a remote buffer-overflow
             vulnerability because the software fails to properly
             bounds-check user-supplied input before copying it to an
             insufficiently sized memory buffer.</p>
          <p>Successful exploits allow remote attackers to execute
             arbitrary machine code in the context of a vulnerable
             application. Failed exploit attempts will likely result in
             denial-of-service conditions.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-1759</cvename>
      <bid>34584</bid>
      <url>http://sourceforge.net/tracker/?func=detail&amp;aid=2782875&amp;group_id=202532&amp;atid=981959</url>
    </references>
    <dates>
      <discovery>2009-10-15</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here -----FSARzvPSP12ygNyzxihkwHyVHL0G0mM6j7ziubg3a5p9zo0u
Content-Type: text/plain; name="ctorrent-fix-cve-2009-1759.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ctorrent-fix-cve-2009-1759.diff"

From 5367e3073dbd6a13f89aad93d4005953cc2db730 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Thu, 15 Oct 2009 12:32:40 +0400

See-also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
See-also: http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 net-p2p/ctorrent/Makefile                  |    2 +-
 net-p2p/ctorrent/files/patch-cve-2009-1759 |   86 ++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 1 deletions(-)
 create mode 100644 net-p2p/ctorrent/files/patch-cve-2009-1759

diff --git a/net-p2p/ctorrent/Makefile b/net-p2p/ctorrent/Makefile
index 9f0e25b..fa6a9e1 100644
--- a/net-p2p/ctorrent/Makefile
+++ b/net-p2p/ctorrent/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	ctorrent
 PORTVERSION=	3.3.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net-p2p
 MASTER_SITES=	http://www.rahul.net/dholmes/ctorrent/
 DISTNAME=	${PORTNAME}-dnh${PORTVERSION}
diff --git a/net-p2p/ctorrent/files/patch-cve-2009-1759 b/net-p2p/ctorrent/files/patch-cve-2009-1759
new file mode 100644
index 0000000..155fe9d
--- /dev/null
+++ b/net-p2p/ctorrent/files/patch-cve-2009-1759
@@ -0,0 +1,86 @@
+Obtained-From: http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875
+
+Index: bencode.h
+===================================================================
+--- bencode.h	(revision 301)
++++ bencode.h	(revision 302)
+@@ -25,7 +25,7 @@
+ size_t decode_list(const char *b,size_t len,const char *keylist);
+ size_t decode_rev(const char *b,size_t len,const char *keylist);
+ size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method);
+-size_t decode_list2path(const char *b, size_t n, char *pathname);
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen);
+ size_t bencode_buf(const char *str,size_t len,FILE *fp);
+ size_t bencode_str(const char *str, FILE *fp);
+ size_t bencode_int(const uint64_t integer, FILE *fp);
+Index: bencode.cpp
+===================================================================
+--- bencode.cpp	(revision 301)
++++ bencode.cpp	(revision 302)
+@@ -233,22 +233,28 @@
+   return bencode_end_dict_list(fp);
+ }
+ 
+-size_t decode_list2path(const char *b, size_t n, char *pathname)
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen)
+ {
+   const char *pb = b;
+   const char *s = (char *) 0;
++  const char *endmax = pathname + maxlen - 1;
+   size_t r,q;
+ 
+   if( 'l' != *pb ) return 0;
+   pb++;
+   n--;
+   if( !n ) return 0;
+-  for(; n;){
++  while( n && pathname < endmax ){
+     if(!(r = buf_str(pb, n, &s, &q)) ) return 0;
++    if( q >= maxlen ) return 0;
+     memcpy(pathname, s, q);
+     pathname += q;
+-    pb += r; n -= r; 
+-    if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break;
++    maxlen -= q;
++    pb += r;
++    n -= r; 
++    if( 'e' == *pb ) break;
++    if( pathname >= endmax ) return 0;
++    *pathname++ = PATH_SP;
+   }
+   *pathname = '\0';
+   return (pb - b + 1);
+Index: btfiles.cpp
+===================================================================
+--- btfiles.cpp	(revision 301)
++++ btfiles.cpp	(revision 302)
+@@ -471,6 +471,8 @@
+     BTFILE *pbf_last = (BTFILE*) 0; 
+     BTFILE *pbf = (BTFILE*) 0;
+     size_t dl;
++    unsigned long nfiles = 0;
++
+     if( decode_query(metabuf,metabuf_len,"info|length",
+                     (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) )
+       return -1;
+@@ -524,12 +526,18 @@
+ #ifndef WINDOWS
+       if( !pbf ) return -1;
+ #endif
++      nfiles++;
+       pbf->bf_length = t;
+       m_total_files_length += t;
+       r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0,
+                        QUERY_POS);
+-      if( !r ) return -1;
+-      if(!decode_list2path(p + r, n, path)) return -1;
++      if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){
++        CONSOLE.Warning(1,
++          "error, invalid path in torrent data for file %lu at offset %llu",
++          nfiles, m_total_files_length - t);
++        delete pbf;
++        return -1;
++      }
+ 
+       int f_conv;
+       char *tmpfn = new char[strlen(path)*2+5];
-- 
1.6.4.4
How-To-Repeat: 
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
[2] http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-10-15 09:50:16 UTC
Responsible Changed
From-To: freebsd-ports-bugs->flz

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2009-10-29 14:20:27 UTC
flz         2009-10-29 14:20:17 UTC

  FreeBSD ports repository

  Modified files:
    net-p2p/ctorrent     Makefile 
  Added files:
    net-p2p/ctorrent/files patch-cve-2009-1759 
  Log:
  Fix stack-based buffer overflow (CVE-2009-1759).
  
  PR:             ports/139635
  Submitted by:   Eygene Ryabinkin
  Security:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
  
  Revision  Changes    Path
  1.23      +1 -1      ports/net-p2p/ctorrent/Makefile
  1.1       +86 -0     ports/net-p2p/ctorrent/files/patch-cve-2009-1759 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Florent Thoumie freebsd_committer freebsd_triage 2009-10-29 14:21:44 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 4 dfilter service freebsd_committer freebsd_triage 2009-10-29 14:21:49 UTC
flz         2009-10-29 14:21:35 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Document vulnerability in net-p2p/ctorrent < 3.3.2_2 (CVE-2009-1759).
  
  PR:             ports/139635
  Submitted by:   Eygene Ryabinkin
  Security:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
  
  Revision  Changes    Path
  1.2055    +35 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"