rpms/ctorrent/EL-5 ctorrent-CVE-2009-1759.patch, 1.2, 1.3 ctorrent.spec, 1.7, 1.8

Dominik Mierzejewski rathann at fedoraproject.org
Sat Aug 22 14:58:08 UTC 2009 

Author: rathann

Update of /cvs/pkgs/rpms/ctorrent/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7019

Modified Files:
	ctorrent.spec 
Added Files:
	ctorrent-CVE-2009-1759.patch 
Log Message:
* Sat Aug 22 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-5.dnh2.1
- fix stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)


ctorrent-CVE-2009-1759.patch:
 bencode.cpp |   14 ++++++++++----
 bencode.h   |    2 +-
 btfiles.cpp |   10 ++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

Index: ctorrent-CVE-2009-1759.patch
===================================================================
RCS file: ctorrent-CVE-2009-1759.patch
diff -N ctorrent-CVE-2009-1759.patch
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ ctorrent-CVE-2009-1759.patch	22 Aug 2009 14:58:08 -0000	1.3
@@ -0,0 +1,80 @@
+diff -up ctorrent-dnh2.1/bencode.cpp.orig ctorrent-dnh2.1/bencode.cpp
+--- ctorrent-dnh2.1/bencode.cpp.orig	2006-01-02 03:38:01.000000000 +0100
++++ ctorrent-dnh2.1/bencode.cpp	2009-08-22 16:43:47.000000000 +0200
+@@ -234,22 +234,28 @@ size_t bencode_path2list(const char *pat
+   return bencode_end_dict_list(fp);
+ }
+ 
+-size_t decode_list2path(const char *b, size_t n, char *pathname)
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen)
+ {
+   const char *pb = b;
+   const char *s = (char *) 0;
++  const char *endmax = pathname + maxlen - 1;
+   size_t r,q;
+ 
+   if( 'l' != *pb ) return 0;
+   pb++;
+   n--;
+   if( !n ) return 0;
+-  for(; n;){
++  while( n && pathname < endmax ){
+     if(!(r = buf_str(pb, n, &s, &q)) ) return 0;
++    if( q >= maxlen ) return 0;
+     memcpy(pathname, s, q);
+     pathname += q;
+-    pb += r; n -= r; 
+-    if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break;
++    maxlen -= q;
++    pb += r;
++    n -= r; 
++    if( 'e' == *pb ) break;
++    if( pathname >= endmax ) return 0;
++    *pathname++ = PATH_SP;
+   }
+   *pathname = '\0';
+   return (pb - b + 1);
+diff -up ctorrent-dnh2.1/bencode.h.orig ctorrent-dnh2.1/bencode.h
+--- ctorrent-dnh2.1/bencode.h.orig	2005-08-27 05:43:00.000000000 +0200
++++ ctorrent-dnh2.1/bencode.h	2009-08-22 16:44:17.000000000 +0200
+@@ -24,7 +24,7 @@ size_t decode_dict(const char *b,size_t 
+ size_t decode_list(const char *b,size_t len,const char *keylist);
+ size_t decode_rev(const char *b,size_t len,const char *keylist);
+ size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method);
+-size_t decode_list2path(const char *b, size_t n, char *pathname);
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen);
+ size_t bencode_buf(const char *str,size_t len,FILE *fp);
+ size_t bencode_str(const char *str, FILE *fp);
+ size_t bencode_int(const int integer, FILE *fp);
+diff -up ctorrent-dnh2.1/btfiles.cpp.orig ctorrent-dnh2.1/btfiles.cpp
+--- ctorrent-dnh2.1/btfiles.cpp.orig	2006-03-20 04:54:53.000000000 +0100
++++ ctorrent-dnh2.1/btfiles.cpp	2009-08-22 16:50:03.000000000 +0200
+@@ -352,6 +352,8 @@ int btFiles::BuildFromMI(const char *met
+     BTFILE *pbf_last = (BTFILE*) 0; 
+     BTFILE *pbf = (BTFILE*) 0;
+     size_t dl;
++    unsigned long nfiles = 0;
++
+     if( decode_query(metabuf,metabuf_len,"info|length",
+                     (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) )
+       return -1;
+@@ -381,11 +383,19 @@ int btFiles::BuildFromMI(const char *met
+ #ifndef WINDOWS
+       if( !pbf ) return -1;
+ #endif
++      nfiles++;
+       pbf->bf_length = t;
+       m_total_files_length += t;
+       r = decode_query(p, dl, "path", (const char **) 0, &n,(int64_t*) 0,QUERY_POS);
+       if( !r ) return -1;
+       if(!decode_list2path(p + r, n, path)) return -1;
++      if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){
++        CONSOLE.Warning(1,
++          "error, invalid path in torrent data for file %lu at offset %llu",
++          nfiles, m_total_files_length - t);
++        delete pbf;
++        return -1;
++      }
+       pbf->bf_filename = new char[strlen(path) + 1];
+ #ifndef WINDOWS
+       if( !pbf->bf_filename ) return -1;


Index: ctorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ctorrent/EL-5/ctorrent.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- ctorrent.spec	22 Aug 2009 14:55:41 -0000	1.7
+++ ctorrent.spec	22 Aug 2009 14:58:08 -0000	1.8
@@ -2,12 +2,13 @@
 
 Name: ctorrent
 Version: 1.3.4
-Release: 3.%{dnh}%{?dist}
+Release: 5.%{dnh}%{?dist}
 Summary: BitTorrent Client written in C
 Group: Applications/Internet
 License: GPL
 URL: http://www.rahul.net/dholmes/ctorrent/
 Source0: http://www.rahul.net/dholmes/ctorrent/%{name}-%{version}-%{dnh}.tar.gz
+Patch0: %{name}-CVE-2009-1759.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openssl-devel
 
@@ -17,6 +18,7 @@ doesn't require any graphical component,
 
 %prep
 %setup -q -n %{name}-%{dnh}
+%patch0 -p1
 
 %build
 %configure
@@ -35,6 +37,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc AUTHORS COPYING ChangeLog NEWS README README-DNH.TXT
 
 %changelog
+* Sat Aug 22 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-5.dnh2.1
+- fix stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)
+
 * Wed Nov 01 2006 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-3.dnh2.1
 - upstream has stopped development, rebase to Enhanced CTorrent, fixes #212307
 - add more docs

More information about the fedora-extras-commits mailing list