Created attachment 151065 [details] files/patch-CVE-2012-6129 On the suspicion of causing https://forums.freebsd.org/threads/transmission-exited-on-signal-11-core-dumped.49483/ References: https://trac.transmissionbt.com/ticket/5002 https://github.com/bittorrent/libutp/issues/38
Maintainer CC'd
libutp upstream fixed as part of https://github.com/bittorrent/libutp/commit/365254
Created attachment 151066 [details] |poudriere testport -P| log (8.4R amd64)
Created attachment 151067 [details] |poudriere testport -P| log (10.1R i386)
Requires PORTREVISION bump and VuXML entry: <vuln vid="0523fb7e-8444-4e86-812d-8de05f6f0dce"> <topic>libutp -- remote denial of service or arbitrary code execution</topic> <affects> <package> <name>bittorrent-libutp</name> <range><lt>0.20130514_1</lt></range> </package> <package> <name>transmission-cli</name> <name>transmission-deamon</name> <name>transmission-gtk</name> <name>transmission-qt4</name> <range><lt>2.74</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>NVD reports:</p> <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6129"> <p>Stack-based buffer overflow in utp.cpp in libutp, as used in Transmission before 2.74 and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted "micro transport protocol packets."</p> </blockquote> </body> </description> <references> <cvename>CVE-2012-6129</cvename> <url>https://github.com/bittorrent/libutp/issues/38</url> <url>https://trac.transmissionbt.com/ticket/5002</url> </references> <dates> <discovery>2012-08-01</discovery> <entry>2014-12-29</entry> </dates> </vuln>
Retrospectively, I've missed the fix while trying to update libutp to the latest version and later downgrading to the one compatible with transmission. /branches/2014Q4 is also affected as it contains bug 194029 which regresses transmission-* ports.
It looks like libutp has already merged the fix. Should I not simply update net/libutp to today's version from GitHub? We'll still need the VuXML-entry, of course :-/
As noted in bug 194036 the current version breaks transmission build. And the blob commit doesn't help understanding what else changed in libutp besides the new API (version == 2?). Filing a bug against transmission may help to see what they think.
needs-qa without outlined steps is too ambiguous. Were the logs enough or do I need to provide something else? For one, needs-qa encompasses other QA tasks such as reproducing the issue and confirming the fix. I cannot confirm my own report/patch, so the next in line is maintainer and then a passing by committer.
So, do you approve just the patch? Either way we need to mark current version as vulnerable. https://reviews.freebsd.org/D1575
Comment on attachment 151065 [details] files/patch-CVE-2012-6129 Jan, comparing third-party/libutp, that's bundled with Transmission against our bittorrent-libutp-7c4f19a, I get exactly the same changes as above EXCEPT for the following: --- bittorrent-libutp-7c4f19a/utp_utils.cpp 2013-05-14 19:05:36.000000000 -0400 +++ libutp/utp_utils.cpp 2014-07-01 13:10:47.850913000 -0400 ... -#define UDP_TEREDO_MTU (TEREDO_MTU - IPV6_HEADER_SIZE - UDP_HEADER_SIZE) +#define UDP_TEREDO_MTU (TEREDO_MTU - UDP_HEADER_SIZE) It would seem to me, if we are bringing our libutp in line with what its main (sole?) user expects, we should include all changes. Did you omit the change to utp_utils.cpp on purpose? Thank you!
Transmission bundled copy of libutp lacks https://github.com/bittorrent/libutp/commit/bace1f9
Comment on attachment 151065 [details] files/patch-CVE-2012-6129 Here's how the commit would look like once you grant maintainer-approval. https://reviews.freebsd.org/D1593
A commit references this bug: Author: mi Date: Thu Jan 22 17:31:49 UTC 2015 New revision: 377674 URL: https://svnweb.freebsd.org/changeset/ports/377674 Log: Add a patch fixing a long-standing security problem. Bump PORTREVISION. PR: 196351 Differential Revision: D1593 Submitted by: Jan Beich Security: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6129 While here, arrange for building a few of the small utilities bundled with library, and install them along with another potentially useful header-file. Sponsored by: http://libpipe.com/ Changes: head/net/libutp/Makefile head/net/libutp/files/BSDmakefile head/net/libutp/files/BSDmakefile.utils head/net/libutp/files/patch-CVE-2012-6129 head/net/libutp/pkg-descr head/net/libutp/pkg-plist
A commit references this bug: Author: mi Date: Thu Jan 22 17:43:49 UTC 2015 New revision: 377675 URL: https://svnweb.freebsd.org/changeset/ports/377675 Log: Add a note about the just-fixed vulnerability of applications using net/libutp. PR: 196351 Differential Revision: D1575 Submitted by: Jan Beich Approved by: bapt Changes: head/security/vuxml/vuln.xml
Thank you very much, Jan, work your work and patience.
Per comment 6, do you plan to merge to quaterly branches? Otherwise, transmission users there are left exposed to the vulnerability since ports r369657.
A commit references this bug: Author: jbeich Date: Tue Jan 27 13:55:30 UTC 2015 New revision: 378009 URL: https://svnweb.freebsd.org/changeset/ports/378009 Log: MFH: r377320 by riggs Convert to USE_GITHUB PR: 196616 Submitted by: jbeich@vfemail.net Approved by: mi@FreeBSD.org (maintainer) MFH: r377674 by mi Add a patch fixing a long-standing security problem. Bump PORTREVISION. PR: 196351 Differential Revision: D1593 Submitted by: Jan Beich Security: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6129 While here, arrange for building a few of the small utilities bundled with library, and install them along with another potentially useful header-file. Sponsored by: http://libpipe.com/ MFH: r377699 by mi Add a patch to fix 64-bit specific warnings in the just-added utilities. PR: 197009 Submitted by: Jan Beich Approved by: portmgr (mat, bapt) Approved by: bapt (mentor) Changes: _U branches/2015Q1/ branches/2015Q1/net/libutp/Makefile branches/2015Q1/net/libutp/distinfo branches/2015Q1/net/libutp/files/BSDmakefile branches/2015Q1/net/libutp/files/BSDmakefile.utils branches/2015Q1/net/libutp/files/patch-CVE-2012-6129 branches/2015Q1/net/libutp/files/patch-size_t branches/2015Q1/net/libutp/pkg-descr branches/2015Q1/net/libutp/pkg-plist