rpms/ctorrent/F-11 ctorrent-CVE-2009-1759.patch, NONE, 1.1 ctorrent.spec, 1.11, 1.12

Dominik Mierzejewski rathann at fedoraproject.org
Fri Aug 21 22:08:38 UTC 2009 

Author: rathann

Update of /cvs/pkgs/rpms/ctorrent/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9074

Modified Files:
	ctorrent.spec 
Added Files:
	ctorrent-CVE-2009-1759.patch 
Log Message:
* Fri Aug 21 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-10.dnh3.3.2
- fixed stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)


ctorrent-CVE-2009-1759.patch:
 bencode.cpp |   14 ++++++++++----
 bencode.h   |    2 +-
 btfiles.cpp |   12 ++++++++++--
 3 files changed, 21 insertions(+), 7 deletions(-)

--- NEW FILE ctorrent-CVE-2009-1759.patch ---
Index: bencode.h
===================================================================
--- bencode.h	(revision 301)
+++ bencode.h	(revision 302)
@@ -25,7 +25,7 @@
 size_t decode_list(const char *b,size_t len,const char *keylist);
 size_t decode_rev(const char *b,size_t len,const char *keylist);
 size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method);
-size_t decode_list2path(const char *b, size_t n, char *pathname);
+size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen);
 size_t bencode_buf(const char *str,size_t len,FILE *fp);
 size_t bencode_str(const char *str, FILE *fp);
 size_t bencode_int(const uint64_t integer, FILE *fp);
Index: bencode.cpp
===================================================================
--- bencode.cpp	(revision 301)
+++ bencode.cpp	(revision 302)
@@ -233,22 +233,28 @@
   return bencode_end_dict_list(fp);
 }
 
-size_t decode_list2path(const char *b, size_t n, char *pathname)
+size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen)
 {
   const char *pb = b;
   const char *s = (char *) 0;
+  const char *endmax = pathname + maxlen - 1;
   size_t r,q;
 
   if( 'l' != *pb ) return 0;
   pb++;
   n--;
   if( !n ) return 0;
-  for(; n;){
+  while( n && pathname < endmax ){
     if(!(r = buf_str(pb, n, &s, &q)) ) return 0;
+    if( q >= maxlen ) return 0;
     memcpy(pathname, s, q);
     pathname += q;
-    pb += r; n -= r; 
-    if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break;
+    maxlen -= q;
+    pb += r;
+    n -= r; 
+    if( 'e' == *pb ) break;
+    if( pathname >= endmax ) return 0;
+    *pathname++ = PATH_SP;
   }
   *pathname = '\0';
   return (pb - b + 1);
Index: btfiles.cpp
===================================================================
--- btfiles.cpp	(revision 301)
+++ btfiles.cpp	(revision 302)
@@ -471,6 +471,8 @@
     BTFILE *pbf_last = (BTFILE*) 0; 
     BTFILE *pbf = (BTFILE*) 0;
     size_t dl;
+    unsigned long nfiles = 0;
+
     if( decode_query(metabuf,metabuf_len,"info|length",
                     (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) )
       return -1;
@@ -524,12 +526,18 @@
 #ifndef WINDOWS
       if( !pbf ) return -1;
 #endif
+      nfiles++;
       pbf->bf_length = t;
       m_total_files_length += t;
       r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0,
                        QUERY_POS);
-      if( !r ) return -1;
-      if(!decode_list2path(p + r, n, path)) return -1;
+      if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){
+        CONSOLE.Warning(1,
+          "error, invalid path in torrent data for file %lu at offset %llu",
+          nfiles, m_total_files_length - t);
+        delete pbf;
+        return -1;
+      }
 
       int f_conv;
       char *tmpfn = new char[strlen(path)*2+5];


Index: ctorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ctorrent/F-11/ctorrent.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12
--- ctorrent.spec	26 Feb 2009 21:07:23 -0000	1.11
+++ ctorrent.spec	21 Aug 2009 22:08:38 -0000	1.12
@@ -2,12 +2,14 @@
 
 Name: ctorrent
 Version: 1.3.4
-Release: 9.%{dnh}%{?dist}
+Release: 10.%{dnh}%{?dist}
 Summary: Command line BitTorrent client for unix-like environments
 Group: Applications/Internet
 License: GPLv2+
 URL: http://www.rahul.net/dholmes/ctorrent/
 Source0: http://downloads.sourceforge.net/sourceforge/dtorrent/%{name}-%{dnh}.tar.gz
+# http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875
+Patch0: %{name}-CVE-2009-1759.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openssl-devel
 
@@ -17,6 +19,7 @@ performance with minimal system resource
 
 %prep
 %setup -q -n %{name}-%{dnh}
+%patch0 -p0
 
 %build
 %configure
@@ -35,6 +38,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc AUTHORS COPYING ChangeLog NEWS README README-DNH.TXT UserGuide
 
 %changelog
+* Fri Aug 21 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-10.dnh3.3.2
+- fixed stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)
+
 * Tue Feb 26 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-9.dnh3.3.2
 - update to 3.3.2 patch
 - improve summary: and description

More information about the fedora-extras-commits mailing list