Bug 225150

Summary: net-p2p/transmission-daemon: mitigate dns rebinding attacks against daemon
Product: Ports & Packages Reporter: Ben Woods <woodsb02>
Component: Individual Port(s)Assignee: Ben Woods <woodsb02>
Status: Closed FIXED    
Severity: Affects Only Me CC: crees, vsasjason, woodsb02
Priority: --- Flags: crees: maintainer-feedback+
woodsb02: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/transmission/transmission/pull/468
Attachments:
Description Flags
Patch to fix transmission-daemon DNS rebinding vulnerability crees: maintainer-approval+

Description Ben Woods freebsd_committer freebsd_triage 2018-01-14 01:54:59 UTC 
A vulnerability has been discovered in net-p2p/transmission-daemon.
https://github.com/transmission/transmission/pull/468

There are a few activities required for this:
1. Get initial VuXML vulnerability added to alert users
2. Get patch into ports tree that fixes this issue
3. Update VuXML vulnerability with further details once discovered (e.g. once CVE is assigned and new version of transmission is released encompassing the fix).
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-01-14 02:20:21 UTC 
A commit references this bug:

Author: woodsb02
Date: Sun Jan 14 02:19:47 UTC 2018
New revision: 458952
URL: https://svnweb.freebsd.org/changeset/ports/458952

Log:
  Document DNS rebinding vulnerabilities in net-p2p/transmission-daemon

  PR:		225150
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Ben Woods freebsd_committer freebsd_triage 2018-01-14 02:51:32 UTC 
Created attachment 189696 [details]
Patch to fix transmission-daemon DNS rebinding vulnerability

This patch is taken from here and adapted to work with FreeBSD ports system:
https://github.com/transmission/transmission/pull/468#issuecomment-357098126

One thing that is not included with this patch, is bumping the PORTREVISION of all affected transmission components. At a minimum, this would be net-p2p/transmission-daemon, but could include others given a number of the transmission ports are SLAVE PORTS of net-p2p/transmission-cli and use the same DISTFILE.
Comment 3 Chris Rees freebsd_committer freebsd_triage 2018-01-14 16:32:24 UTC 
(In reply to Ben Woods from comment #2)

Thanks a lot! If you've got it open, yes please commit.  You'll only need to bump -daemon as that's the only one with the issue.
Comment 4 commit-hook freebsd_committer freebsd_triage 2018-01-14 22:35:59 UTC 
A commit references this bug:

Author: woodsb02
Date: Sun Jan 14 22:35:00 UTC 2018
New revision: 459011
URL: https://svnweb.freebsd.org/changeset/ports/459011

Log:
  net-p2p/transmission-daemon: Mitigate DNS rebinding attack

  Incorporate upstream pull request 468, proposed by Tavis Ormandy from
  Google Project Zero, which mitigates this attack by requiring a host
  whitelist for requests that cannot be proven to be secure, but it can
  be disabled if a user does not want security.

  PR:		225150
  Submitted by:	Tavis Ormandy
  Approved by:	crees (maintainer)
  Obtained from:	https://github.com/transmission/transmission/pull/468#issuecomment-357098126
  MFH:		2018Q1
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Changes:
  head/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln
  head/net-p2p/transmission-daemon/Makefile
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-01-14 23:29:43 UTC 
A commit references this bug:

Author: woodsb02
Date: Sun Jan 14 23:29:04 UTC 2018
New revision: 459013
URL: https://svnweb.freebsd.org/changeset/ports/459013

Log:
  Add note to UPDATING for net-p2p/transmission-daemon explaining how to
  allow client access with the new DNS rebinding mitigations.

  PR:		225150
  MFH:		2018Q1
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Changes:
  head/UPDATING
Comment 6 Ben Woods freebsd_committer freebsd_triage 2018-01-14 23:30:34 UTC 
Committed to ports head.
Awaiting ports-secteam approval to merge to 2018Q1.
Comment 7 commit-hook freebsd_committer freebsd_triage 2018-01-20 01:21:16 UTC 
A commit references this bug:

Author: woodsb02
Date: Sat Jan 20 01:20:20 UTC 2018
New revision: 459492
URL: https://svnweb.freebsd.org/changeset/ports/459492

Log:
  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message

  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.

  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

Changes:
  head/UPDATING
  head/net-p2p/transmission-daemon/Makefile
  head/net-p2p/transmission-daemon/pkg-message
Comment 8 commit-hook freebsd_committer freebsd_triage 2018-01-20 01:29:24 UTC 
A commit references this bug:

Author: woodsb02
Date: Sat Jan 20 01:28:57 UTC 2018
New revision: 459493
URL: https://svnweb.freebsd.org/changeset/ports/459493

Log:
  MFH: r459011 r459013 r459492

  net-p2p/transmission-daemon: Mitigate DNS rebinding attack

  Incorporate upstream pull request 468, proposed by Tavis Ormandy from
  Google Project Zero, which mitigates this attack by requiring a host
  whitelist for requests that cannot be proven to be secure, but it can
  be disabled if a user does not want security.

  PR:		225150
  Submitted by:	Tavis Ormandy
  Approved by:	crees (maintainer)
  Obtained from:	https://github.com/transmission/transmission/pull/468#issuecomment-357098126
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Add note to UPDATING for net-p2p/transmission-daemon explaining how to
  allow client access with the new DNS rebinding mitigations.

  PR:		225150
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message

  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.

  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/UPDATING
  branches/2018Q1/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln
  branches/2018Q1/net-p2p/transmission-daemon/Makefile
  branches/2018Q1/net-p2p/transmission-daemon/pkg-message
Comment 9 commit-hook freebsd_committer freebsd_triage 2018-01-20 01:29:26 UTC 
A commit references this bug:

Author: woodsb02
Date: Sat Jan 20 01:28:57 UTC 2018
New revision: 459493
URL: https://svnweb.freebsd.org/changeset/ports/459493

Log:
  MFH: r459011 r459013 r459492

  net-p2p/transmission-daemon: Mitigate DNS rebinding attack

  Incorporate upstream pull request 468, proposed by Tavis Ormandy from
  Google Project Zero, which mitigates this attack by requiring a host
  whitelist for requests that cannot be proven to be secure, but it can
  be disabled if a user does not want security.

  PR:		225150
  Submitted by:	Tavis Ormandy
  Approved by:	crees (maintainer)
  Obtained from:	https://github.com/transmission/transmission/pull/468#issuecomment-357098126
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Add note to UPDATING for net-p2p/transmission-daemon explaining how to
  allow client access with the new DNS rebinding mitigations.

  PR:		225150
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message

  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.

  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/UPDATING
  branches/2018Q1/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln
  branches/2018Q1/net-p2p/transmission-daemon/Makefile
  branches/2018Q1/net-p2p/transmission-daemon/pkg-message
Comment 10 commit-hook freebsd_committer freebsd_triage 2018-01-20 01:29:28 UTC 
A commit references this bug:

Author: woodsb02
Date: Sat Jan 20 01:28:57 UTC 2018
New revision: 459493
URL: https://svnweb.freebsd.org/changeset/ports/459493

Log:
  MFH: r459011 r459013 r459492

  net-p2p/transmission-daemon: Mitigate DNS rebinding attack

  Incorporate upstream pull request 468, proposed by Tavis Ormandy from
  Google Project Zero, which mitigates this attack by requiring a host
  whitelist for requests that cannot be proven to be secure, but it can
  be disabled if a user does not want security.

  PR:		225150
  Submitted by:	Tavis Ormandy
  Approved by:	crees (maintainer)
  Obtained from:	https://github.com/transmission/transmission/pull/468#issuecomment-357098126
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Add note to UPDATING for net-p2p/transmission-daemon explaining how to
  allow client access with the new DNS rebinding mitigations.

  PR:		225150
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message

  This will ensure users who do not read UPDATING are still presented with
  the message about how to allow clients to connect to the daemon using
  DNS when they upgrade the package.

  PR:		225150
  Reported by:	swills
  Security:	https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/UPDATING
  branches/2018Q1/net-p2p/transmission-cli/files/patch-fix_dns_rebinding_vuln
  branches/2018Q1/net-p2p/transmission-daemon/Makefile
  branches/2018Q1/net-p2p/transmission-daemon/pkg-message
Comment 11 Ben Woods freebsd_committer freebsd_triage 2018-01-20 01:31:14 UTC 
This has now been merged to 2018Q1 now also. Thanks crees for your fast approval, and to swills for a heads up about using pkg-message to notify pkg users.