From the CVE entry [1]: ----- Stack-based buffer overflow in the btFiles::BuildFromMI function (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and probably earlier, and CTorrent 1.3.4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Torrent file containing a long path. ----- Fix: The following patch updates the port and adds the patch from the vendor. It was promised that this patch will be integrated into 3.3.3. Patched port works for me. The following VuXML entry should be evaluated and added: <vuln vid="83d7d149-b965-11de-a515-0022156e8794"> <topic>Enhanced cTorrent -- stack-based overflow</topic> <affects> <package> <name>ctorrent</name> <range><lt>3.3.2_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Securityfocus reports:</p> <blockquote cite="http://www.securityfocus.com/bid/34584"> <p>cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.</p> <p>Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-1759</cvename> <bid>34584</bid> <url>http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959</url> </references> <dates> <discovery>2009-10-15</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----FSARzvPSP12ygNyzxihkwHyVHL0G0mM6j7ziubg3a5p9zo0u Content-Type: text/plain; name="ctorrent-fix-cve-2009-1759.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ctorrent-fix-cve-2009-1759.diff" From 5367e3073dbd6a13f89aad93d4005953cc2db730 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 15 Oct 2009 12:32:40 +0400 See-also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 See-also: http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net-p2p/ctorrent/Makefile | 2 +- net-p2p/ctorrent/files/patch-cve-2009-1759 | 86 ++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletions(-) create mode 100644 net-p2p/ctorrent/files/patch-cve-2009-1759 diff --git a/net-p2p/ctorrent/Makefile b/net-p2p/ctorrent/Makefile index 9f0e25b..fa6a9e1 100644 --- a/net-p2p/ctorrent/Makefile +++ b/net-p2p/ctorrent/Makefile @@ -7,7 +7,7 @@ PORTNAME= ctorrent PORTVERSION= 3.3.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net-p2p MASTER_SITES= http://www.rahul.net/dholmes/ctorrent/ DISTNAME= ${PORTNAME}-dnh${PORTVERSION} diff --git a/net-p2p/ctorrent/files/patch-cve-2009-1759 b/net-p2p/ctorrent/files/patch-cve-2009-1759 new file mode 100644 index 0000000..155fe9d --- /dev/null +++ b/net-p2p/ctorrent/files/patch-cve-2009-1759 @@ -0,0 +1,86 @@ +Obtained-From: http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875 + +Index: bencode.h +=================================================================== +--- bencode.h (revision 301) ++++ bencode.h (revision 302) +@@ -25,7 +25,7 @@ + size_t decode_list(const char *b,size_t len,const char *keylist); + size_t decode_rev(const char *b,size_t len,const char *keylist); + size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method); +-size_t decode_list2path(const char *b, size_t n, char *pathname); ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen); + size_t bencode_buf(const char *str,size_t len,FILE *fp); + size_t bencode_str(const char *str, FILE *fp); + size_t bencode_int(const uint64_t integer, FILE *fp); +Index: bencode.cpp +=================================================================== +--- bencode.cpp (revision 301) ++++ bencode.cpp (revision 302) +@@ -233,22 +233,28 @@ + return bencode_end_dict_list(fp); + } + +-size_t decode_list2path(const char *b, size_t n, char *pathname) ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen) + { + const char *pb = b; + const char *s = (char *) 0; ++ const char *endmax = pathname + maxlen - 1; + size_t r,q; + + if( 'l' != *pb ) return 0; + pb++; + n--; + if( !n ) return 0; +- for(; n;){ ++ while( n && pathname < endmax ){ + if(!(r = buf_str(pb, n, &s, &q)) ) return 0; ++ if( q >= maxlen ) return 0; + memcpy(pathname, s, q); + pathname += q; +- pb += r; n -= r; +- if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break; ++ maxlen -= q; ++ pb += r; ++ n -= r; ++ if( 'e' == *pb ) break; ++ if( pathname >= endmax ) return 0; ++ *pathname++ = PATH_SP; + } + *pathname = '\0'; + return (pb - b + 1); +Index: btfiles.cpp +=================================================================== +--- btfiles.cpp (revision 301) ++++ btfiles.cpp (revision 302) +@@ -471,6 +471,8 @@ + BTFILE *pbf_last = (BTFILE*) 0; + BTFILE *pbf = (BTFILE*) 0; + size_t dl; ++ unsigned long nfiles = 0; ++ + if( decode_query(metabuf,metabuf_len,"info|length", + (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) ) + return -1; +@@ -524,12 +526,18 @@ + #ifndef WINDOWS + if( !pbf ) return -1; + #endif ++ nfiles++; + pbf->bf_length = t; + m_total_files_length += t; + r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0, + QUERY_POS); +- if( !r ) return -1; +- if(!decode_list2path(p + r, n, path)) return -1; ++ if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){ ++ CONSOLE.Warning(1, ++ "error, invalid path in torrent data for file %lu at offset %llu", ++ nfiles, m_total_files_length - t); ++ delete pbf; ++ return -1; ++ } + + int f_conv; + char *tmpfn = new char[strlen(path)*2+5]; -- 1.6.4.4 How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 [2] http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959
Responsible Changed From-To: freebsd-ports-bugs->flz Over to maintainer (via the GNATS Auto Assign Tool)
flz 2009-10-29 14:20:17 UTC FreeBSD ports repository Modified files: net-p2p/ctorrent Makefile Added files: net-p2p/ctorrent/files patch-cve-2009-1759 Log: Fix stack-based buffer overflow (CVE-2009-1759). PR: ports/139635 Submitted by: Eygene Ryabinkin Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 Revision Changes Path 1.23 +1 -1 ports/net-p2p/ctorrent/Makefile 1.1 +86 -0 ports/net-p2p/ctorrent/files/patch-cve-2009-1759 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!
flz 2009-10-29 14:21:35 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Document vulnerability in net-p2p/ctorrent < 3.3.2_2 (CVE-2009-1759). PR: ports/139635 Submitted by: Eygene Ryabinkin Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 Revision Changes Path 1.2055 +35 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"