From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Oct 15 08:50:01 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BC4106568F; Thu, 15 Oct 2009 08:50:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 76CBB8FC15; Thu, 15 Oct 2009 08:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n9F8o1gZ059848; Thu, 15 Oct 2009 08:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n9F8o1Y6059838; Thu, 15 Oct 2009 08:50:01 GMT (envelope-from gnats) Resent-Date: Thu, 15 Oct 2009 08:50:01 GMT Resent-Message-Id: <200910150850.n9F8o1Y6059838@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: miwi@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40A50106566B for ; Thu, 15 Oct 2009 08:48:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id D08AA8FC08 for ; Thu, 15 Oct 2009 08:48:47 +0000 (UTC) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1MyM0s-000HAu-Ll for FreeBSD-gnats-submit@freebsd.org; Thu, 15 Oct 2009 12:48:46 +0400 Message-Id: <20091015084846.9C6B0DA819@void.codelabs.ru> Date: Thu, 15 Oct 2009 12:48:46 +0400 (MSD) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: miwi@freebsd.org Cc: Subject: ports/139635: [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2009 08:50:01 -0000 >Number: 139635 >Category: ports >Synopsis: [patch] net-p2p/ctorrent: fix buffer overflow, CVE-2009-1759 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 15 08:50:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-RC1 amd64 >Organization: Code Labs >Environment: System: FreeBSD >Description: >From the CVE entry [1]: ----- Stack-based buffer overflow in the btFiles::BuildFromMI function (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and probably earlier, and CTorrent 1.3.4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Torrent file containing a long path. ----- >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 [2] http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 >Fix: The following patch updates the port and adds the patch from the vendor. It was promised that this patch will be integrated into 3.3.3. --- ctorrent-fix-cve-2009-1759.diff begins here --- >From 5367e3073dbd6a13f89aad93d4005953cc2db730 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 15 Oct 2009 12:32:40 +0400 See-also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759 See-also: http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 Signed-off-by: Eygene Ryabinkin --- net-p2p/ctorrent/Makefile | 2 +- net-p2p/ctorrent/files/patch-cve-2009-1759 | 86 ++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletions(-) create mode 100644 net-p2p/ctorrent/files/patch-cve-2009-1759 diff --git a/net-p2p/ctorrent/Makefile b/net-p2p/ctorrent/Makefile index 9f0e25b..fa6a9e1 100644 --- a/net-p2p/ctorrent/Makefile +++ b/net-p2p/ctorrent/Makefile @@ -7,7 +7,7 @@ PORTNAME= ctorrent PORTVERSION= 3.3.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net-p2p MASTER_SITES= http://www.rahul.net/dholmes/ctorrent/ DISTNAME= ${PORTNAME}-dnh${PORTVERSION} diff --git a/net-p2p/ctorrent/files/patch-cve-2009-1759 b/net-p2p/ctorrent/files/patch-cve-2009-1759 new file mode 100644 index 0000000..155fe9d --- /dev/null +++ b/net-p2p/ctorrent/files/patch-cve-2009-1759 @@ -0,0 +1,86 @@ +Obtained-From: http://sourceforge.net/tracker/download.php?group_id=202532&atid=981959&file_id=325065&aid=2782875 + +Index: bencode.h +=================================================================== +--- bencode.h (revision 301) ++++ bencode.h (revision 302) +@@ -25,7 +25,7 @@ + size_t decode_list(const char *b,size_t len,const char *keylist); + size_t decode_rev(const char *b,size_t len,const char *keylist); + size_t decode_query(const char *b,size_t len,const char *keylist,const char **ps,size_t *pi,int64_t *pl,int method); +-size_t decode_list2path(const char *b, size_t n, char *pathname); ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen); + size_t bencode_buf(const char *str,size_t len,FILE *fp); + size_t bencode_str(const char *str, FILE *fp); + size_t bencode_int(const uint64_t integer, FILE *fp); +Index: bencode.cpp +=================================================================== +--- bencode.cpp (revision 301) ++++ bencode.cpp (revision 302) +@@ -233,22 +233,28 @@ + return bencode_end_dict_list(fp); + } + +-size_t decode_list2path(const char *b, size_t n, char *pathname) ++size_t decode_list2path(const char *b, size_t n, char *pathname, size_t maxlen) + { + const char *pb = b; + const char *s = (char *) 0; ++ const char *endmax = pathname + maxlen - 1; + size_t r,q; + + if( 'l' != *pb ) return 0; + pb++; + n--; + if( !n ) return 0; +- for(; n;){ ++ while( n && pathname < endmax ){ + if(!(r = buf_str(pb, n, &s, &q)) ) return 0; ++ if( q >= maxlen ) return 0; + memcpy(pathname, s, q); + pathname += q; +- pb += r; n -= r; +- if( 'e' != *pb ){*pathname = PATH_SP, pathname++;} else break; ++ maxlen -= q; ++ pb += r; ++ n -= r; ++ if( 'e' == *pb ) break; ++ if( pathname >= endmax ) return 0; ++ *pathname++ = PATH_SP; + } + *pathname = '\0'; + return (pb - b + 1); +Index: btfiles.cpp +=================================================================== +--- btfiles.cpp (revision 301) ++++ btfiles.cpp (revision 302) +@@ -471,6 +471,8 @@ + BTFILE *pbf_last = (BTFILE*) 0; + BTFILE *pbf = (BTFILE*) 0; + size_t dl; ++ unsigned long nfiles = 0; ++ + if( decode_query(metabuf,metabuf_len,"info|length", + (const char**) 0,(size_t*) 0,(int64_t*) 0,QUERY_LONG) ) + return -1; +@@ -524,12 +526,18 @@ + #ifndef WINDOWS + if( !pbf ) return -1; + #endif ++ nfiles++; + pbf->bf_length = t; + m_total_files_length += t; + r = decode_query(p, dl, "path", (const char **)0, &n, (int64_t*)0, + QUERY_POS); +- if( !r ) return -1; +- if(!decode_list2path(p + r, n, path)) return -1; ++ if( !r || !decode_list2path(p + r, n, path, sizeof(path)) ){ ++ CONSOLE.Warning(1, ++ "error, invalid path in torrent data for file %lu at offset %llu", ++ nfiles, m_total_files_length - t); ++ delete pbf; ++ return -1; ++ } + + int f_conv; + char *tmpfn = new char[strlen(path)*2+5]; -- 1.6.4.4 --- ctorrent-fix-cve-2009-1759.diff ends here --- Patched port works for me. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- Enhanced cTorrent -- stack-based overflow ctorrent 3.3.2_2

Securityfocus reports:

cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.

 CVE-2009-1759 34584 http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959 2009-10-15 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: