Bug 887079 - (CVE-2014-4909) VUL-0: CVE-2014-4909 transmission: peer communication vulnerability
(CVE-2014-4909)
VUL-0: CVE-2014-4909 transmission: peer communication vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Vincent Untz
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-14 07:57 UTC by Victor Pereira
Modified: 2014-08-19 07:17 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-14 07:57:12 UTC
CVE-2014-4909

Transmission version 2.84 fixes peer communication vulnerability (no known exploits) reported by Ben Hawkes.


 proof-of-concept for tr_bitfieldEnsureNthBitAlloced overflow:

     tr_bitfieldEnsureBitsAlloced (b, nth + 1);
     ...
     b->bits[nth >> 3u] |= (0x80 >> (nth & 7u));

   results in a 1-bit out-of-bound write at constant address 0x1fffffff
   
   affects 32-bit systems only due to int index being cast to size_t nth

   its also possible to trigger the write relative to an allocated chunk
   by sending a valid response to the first piece request and triggering
   the bug on the second piece request (such that b->bits is allocated)

   submission acts as a seeding peer for the provided torrent file

   by default, transmission clients will use uTP and encryption, which
   submission doesn't support. tested using the following client:

     transmission-2.83/daemon/transmission-daemon -et --no-utp -f -c .



References:
https://bugs.gentoo.org/show_bug.cgi?id=516822
https://bugzilla.redhat.com/show_bug.cgi?id=1118290
Comment 1 Swamp Workflow Management 2014-07-14 22:00:15 UTC
bugbot adjusting priority
Comment 4 Dominique Leuenberger 2014-07-24 08:06:23 UTC
242169  State:new        By:dimstar      When:2014-07-24T08:05:07
        maintenance_incident: GNOME:Apps/transmission@d65de334f181d79b4c78563f1f40286c -> openSUSE:Maintenance (release in openSUSE:13.1:Update)
        Descr: Release as online update for openSUSE 13.1
Comment 5 Swamp Workflow Management 2014-08-11 08:08:43 UTC
openSUSE-SU-2014:0980-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 887079
CVE References: CVE-2014-4909
Sources used:
openSUSE 13.1 (src):    transmission-2.82-2.4.1
Comment 6 Vincent Untz 2014-08-19 07:17:10 UTC
Update released.