Bug 1039815 - (CVE-2017-9031) VUL-0: CVE-2017-9031: deluge: webUI: directory traversal vulnerability
(CVE-2017-9031)
VUL-0: CVE-2017-9031: deluge: webUI: directory traversal vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P4 - Low : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/185429/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-18 21:23 UTC by Mikhail Kasimov
Modified: 2017-06-06 22:40 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-05-18 21:23:00 UTC
Ref: http://seclists.org/oss-sec/2017/q2/296
=============================================
CVE-2017-9031 was assigned for the following directory traversal issue
in Deluge's WebUI:

http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15

Quoting upstream announce:

    Highly recommended to upgrade to this release as it contains a
    directory traversal security fix that once again has the real
    potential to compromise your machine. 


The related commit is:

http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd

which gives more information about the issue:

    [WebUI] Check render template files exist and raise 404 if not
    - Check render/* requests match to .html files in the 'render' dir
    - Protects against directory (path) traversal


Additional reference:
https://bugs.debian.org/862611
=============================================

Hyperlink

[1] http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15

[2] https://security-tracker.debian.org/tracker/CVE-2017-9031

[3] https://bugs.debian.org/862611

[4] http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd


(open-)SUSE: https://software.opensuse.org/package/deluge

1.3.13 (42.2, official repo)
1.3.14 (42.3, TW, official repo)
Comment 1 Andreas Stieger 2017-05-19 09:30:05 UTC
openSUSE only. Assign to maintainer.
Comment 2 Bernhard Wiedemann 2017-05-19 16:01:11 UTC
This is an autogenerated message for OBS integration:
This bug (1039815) was mentioned in
https://build.opensuse.org/request/show/496786 42.2 / deluge
Comment 3 Andreas Stieger 2017-05-19 16:47:52 UTC
update running
Comment 4 Andreas Stieger 2017-06-06 16:40:41 UTC
done
Comment 5 Swamp Workflow Management 2017-06-06 22:09:07 UTC
openSUSE-SU-2017:1497-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1039815,1039958
CVE References: CVE-2017-7178,CVE-2017-9031
Sources used:
openSUSE Leap 42.2 (src):    deluge-1.3.15-3.3.1