Date: Thu, 15 Oct 2009 12:48:46 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/139635: [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759 Message-ID: <20091015084846.9C6B0DA819@void.codelabs.ru> Resent-Message-ID: <200910150850.n9F8o1Y6059838@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 139635 >Category: ports >Synopsis: [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 15 08:50:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-RC1 amd64 >Organization: Code Labs >Environment: System: FreeBSD >Description: >From the CVE entry [1]: ----- Stack-based buffer overflow in the btFiles::BuildFromMI function (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and probably earlier, and CTorrent 1.3.4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Torrent file containing a long path. ----- >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 [2] http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 >Fix: The following patch updates the port and adds the patch from the vendor. It was promised that this patch will be integrated into 3.3.3. --- ctorrent-fix-cve-2009-1759.diff begins here --- >From 5367e3073dbd6a13f89aad93d4005953cc2db730 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 15 Oct 2009 12:32:40 +0400 See-also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 See-also: http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net-p2p/ctorrent/Makefile | 2 +- net-p2p/ctorrent/files/patch-cve-2009-1759 | 86 ++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletions(-) create mode 100644 net-p2p/ctorrent/files/patch-cve-2009-1759 diff --git a/net-p2p/ctorrent/Makefile b/net-p2p/ctorrent/Makefile index 9f0e25b..fa6a9e1 100644 --- a/net-p2p/ctorrent/Makefile +++ b/net-p2p/ctorrent/Makefile @@ -7,7 +7,7 @@ PORTNAME= ctorrent PORTVERSION= 3.3.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net-p2p MASTER_SITES= http://www.rahul.net/dholmes/ctorrent/ DISTNAME= ${PORTNAME}-dnh${PORTVERSION} diff --git a/net-p2p/ctorrent/files/patch-cve-2009-1759 b/net-p2p/ctorrent/files/patch-cve-2009-1759 new file mode 100644 index 0000000..155fe9d --- /dev/null +++ b/net-p2p/ctorrent/files/patch-cve-2009-1759 @@ -0,0 +1,86 @@ +Obtained-From: http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875 + +Index: bencode.h +=================================================================== +--- bencode.h (revision 301) ++++ bencode.h (revision 302) +@@ -25,7 +25,7 @@ + size_t decode_list(const char *b,size_t len,const char *keylist); + size_t decode_rev(const char *b,size_t len,const char *keylist); + size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method); +-size_t decode_list2path(const char *b, size_t n, char *pathname); ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen); + size_t bencode_buf(const char *str,size_t len,FILE *fp); + size_t bencode_str(const char *str, FILE *fp); + size_t bencode_int(const uint64_t integer, FILE *fp); +Index: bencode.cpp +=================================================================== +--- bencode.cpp (revision 301) ++++ bencode.cpp (revision 302) +@@ -233,22 +233,28 @@ + return bencode_end_dict_list(fp); + } + +-size_t decode_list2path(const char *b, size_t n, char *pathname) ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen) + { + const char *pb = b; + const char *s = (char *) 0; ++ const char *endmax = pathname + maxlen - 1; + size_t r,q; + + if( 'l' != *pb ) return 0; + pb++; + n--; + if( !n ) return 0; +- for(; n;){ ++ while( n && pathname < endmax ){ + if(!(r = buf_str(pb, n, &s, &q)) ) return 0; ++ if( q >= maxlen ) return 0; + memcpy(pathname, s, q); + pathname += q; +- pb += r; n -= r; +- if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break; ++ maxlen -= q; ++ pb += r; ++ n -= r; ++ if( 'e' == *pb ) break; ++ if( pathname >= endmax ) return 0; ++ *pathname++ = PATH_SP; + } + *pathname = '\0'; + return (pb - b + 1); +Index: btfiles.cpp +=================================================================== +--- btfiles.cpp (revision 301) ++++ btfiles.cpp (revision 302) +@@ -471,6 +471,8 @@ + BTFILE *pbf_last = (BTFILE*) 0; + BTFILE *pbf = (BTFILE*) 0; + size_t dl; ++ unsigned long nfiles = 0; ++ + if( decode_query(metabuf,metabuf_len,"info|length", + (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) ) + return -1; +@@ -524,12 +526,18 @@ + #ifndef WINDOWS + if( !pbf ) return -1; + #endif ++ nfiles++; + pbf->bf_length = t; + m_total_files_length += t; + r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0, + QUERY_POS); +- if( !r ) return -1; +- if(!decode_list2path(p + r, n, path)) return -1; ++ if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){ ++ CONSOLE.Warning(1, ++ "error, invalid path in torrent data for file %lu at offset %llu", ++ nfiles, m_total_files_length - t); ++ delete pbf; ++ return -1; ++ } + + int f_conv; + char *tmpfn = new char[strlen(path)*2+5]; -- 1.6.4.4 --- ctorrent-fix-cve-2009-1759.diff ends here --- Patched port works for me. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="83d7d149-b965-11de-a515-0022156e8794"> <topic>Enhanced cTorrent -- stack-based overflow</topic> <affects> <package> <name>ctorrent</name> <range><lt>3.3.2_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Securityfocus reports:</p> <blockquote cite="http://www.securityfocus.com/bid/34584">; <p>cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.</p> <p>Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-1759</cvename> <bid>34584</bid> <url>http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959</url>; </references> <dates> <discovery>2009-10-15</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091015084846.9C6B0DA819>