rpms/ctorrent/EL-5 ctorrent-CVE-2009-1759.patch, 1.2, 1.3 ctorrent.spec, 1.7, 1.8
Dominik Mierzejewski
rathann at fedoraproject.org
Sat Aug 22 14:58:08 UTC 2009
Author: rathann
Update of /cvs/pkgs/rpms/ctorrent/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7019
Modified Files:
ctorrent.spec
Added Files:
ctorrent-CVE-2009-1759.patch
Log Message:
* Sat Aug 22 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-5.dnh2.1
- fix stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)
ctorrent-CVE-2009-1759.patch:
bencode.cpp | 14 ++++++++++----
bencode.h | 2 +-
btfiles.cpp | 10 ++++++++++
3 files changed, 21 insertions(+), 5 deletions(-)
Index: ctorrent-CVE-2009-1759.patch
===================================================================
RCS file: ctorrent-CVE-2009-1759.patch
diff -N ctorrent-CVE-2009-1759.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ctorrent-CVE-2009-1759.patch 22 Aug 2009 14:58:08 -0000 1.3
@@ -0,0 +1,80 @@
+diff -up ctorrent-dnh2.1/bencode.cpp.orig ctorrent-dnh2.1/bencode.cpp
+--- ctorrent-dnh2.1/bencode.cpp.orig 2006-01-02 03:38:01.000000000 +0100
++++ ctorrent-dnh2.1/bencode.cpp 2009-08-22 16:43:47.000000000 +0200
+@@ -234,22 +234,28 @@ size_t bencode_path2list(const char *pat
+ return bencode_end_dict_list(fp);
+ }
+
+-size_t decode_list2path(const char *b, size_t n, char *pathname)
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen)
+ {
+ const char *pb = b;
+ const char *s = (char *) 0;
++ const char *endmax = pathname + maxlen - 1;
+ size_t r,q;
+
+ if( 'l' != *pb ) return 0;
+ pb++;
+ n--;
+ if( !n ) return 0;
+- for(; n;){
++ while( n && pathname < endmax ){
+ if(!(r = buf_str(pb, n, &s, &q)) ) return 0;
++ if( q >= maxlen ) return 0;
+ memcpy(pathname, s, q);
+ pathname += q;
+- pb += r; n -= r;
+- if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break;
++ maxlen -= q;
++ pb += r;
++ n -= r;
++ if( 'e' == *pb ) break;
++ if( pathname >= endmax ) return 0;
++ *pathname++ = PATH_SP;
+ }
+ *pathname = '\0';
+ return (pb - b + 1);
+diff -up ctorrent-dnh2.1/bencode.h.orig ctorrent-dnh2.1/bencode.h
+--- ctorrent-dnh2.1/bencode.h.orig 2005-08-27 05:43:00.000000000 +0200
++++ ctorrent-dnh2.1/bencode.h 2009-08-22 16:44:17.000000000 +0200
+@@ -24,7 +24,7 @@ size_t decode_dict(const char *b,size_t
+ size_t decode_list(const char *b,size_t len,const char *keylist);
+ size_t decode_rev(const char *b,size_t len,const char *keylist);
+ size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method);
+-size_t decode_list2path(const char *b, size_t n, char *pathname);
++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen);
+ size_t bencode_buf(const char *str,size_t len,FILE *fp);
+ size_t bencode_str(const char *str, FILE *fp);
+ size_t bencode_int(const int integer, FILE *fp);
+diff -up ctorrent-dnh2.1/btfiles.cpp.orig ctorrent-dnh2.1/btfiles.cpp
+--- ctorrent-dnh2.1/btfiles.cpp.orig 2006-03-20 04:54:53.000000000 +0100
++++ ctorrent-dnh2.1/btfiles.cpp 2009-08-22 16:50:03.000000000 +0200
+@@ -352,6 +352,8 @@ int btFiles::BuildFromMI(const char *met
+ BTFILE *pbf_last = (BTFILE*) 0;
+ BTFILE *pbf = (BTFILE*) 0;
+ size_t dl;
++ unsigned long nfiles = 0;
++
+ if( decode_query(metabuf,metabuf_len,"info|length",
+ (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) )
+ return -1;
+@@ -381,11 +383,19 @@ int btFiles::BuildFromMI(const char *met
+ #ifndef WINDOWS
+ if( !pbf ) return -1;
+ #endif
++ nfiles++;
+ pbf->bf_length = t;
+ m_total_files_length += t;
+ r = decode_query(p, dl, "path", (const char **) 0, &n,(int64_t*) 0,QUERY_POS);
+ if( !r ) return -1;
+ if(!decode_list2path(p + r, n, path)) return -1;
++ if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){
++ CONSOLE.Warning(1,
++ "error, invalid path in torrent data for file %lu at offset %llu",
++ nfiles, m_total_files_length - t);
++ delete pbf;
++ return -1;
++ }
+ pbf->bf_filename = new char[strlen(path) + 1];
+ #ifndef WINDOWS
+ if( !pbf->bf_filename ) return -1;
Index: ctorrent.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ctorrent/EL-5/ctorrent.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- ctorrent.spec 22 Aug 2009 14:55:41 -0000 1.7
+++ ctorrent.spec 22 Aug 2009 14:58:08 -0000 1.8
@@ -2,12 +2,13 @@
Name: ctorrent
Version: 1.3.4
-Release: 3.%{dnh}%{?dist}
+Release: 5.%{dnh}%{?dist}
Summary: BitTorrent Client written in C
Group: Applications/Internet
License: GPL
URL: http://www.rahul.net/dholmes/ctorrent/
Source0: http://www.rahul.net/dholmes/ctorrent/%{name}-%{version}-%{dnh}.tar.gz
+Patch0: %{name}-CVE-2009-1759.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: openssl-devel
@@ -17,6 +18,7 @@ doesn't require any graphical component,
%prep
%setup -q -n %{name}-%{dnh}
+%patch0 -p1
%build
%configure
@@ -35,6 +37,9 @@ rm -rf $RPM_BUILD_ROOT
%doc AUTHORS COPYING ChangeLog NEWS README README-DNH.TXT
%changelog
+* Sat Aug 22 2009 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-5.dnh2.1
+- fix stack-based buffer overflow (CVE-2009-1759, RHBZ #501813)
+
* Wed Nov 01 2006 Dominik 'Rathann' Mierzejewski <rpm at greysector.net> 1.3.4-3.dnh2.1
- upstream has stopped development, rebase to Enhanced CTorrent, fixes #212307
- add more docs
More information about the fedora-extras-commits
mailing list