Bug 1141967 - (CVE-2019-13640) VUL-1: CVE-2019-13640: qbittorrent: command injection via shell metacharacters
(CVE-2019-13640)
VUL-1: CVE-2019-13640: qbittorrent: command injection via shell metacharacters
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 15.1
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Mariusz Fik
Security Team bot
https://smash.suse.de/issue/237590/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-18 07:59 UTC by Alexander Bergmann
Modified: 2019-08-31 22:47 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-07-18 07:59:05 UTC
CVE-2019-13640

In qBittorrent before 4.1.7, the function Application::runExternalProgram()
located in app/application.cpp allows command injection via shell metacharacters
in the torrent name parameter or current tracker parameter, as demonstrated by
remote command execution via a crafted name within an RSS feed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13640
http://www.cvedetails.com/cve/CVE-2019-13640/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640
https://github.com/qbittorrent/qBittorrent/issues/10925
Comment 1 Swamp Workflow Management 2019-07-24 20:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1141967) was mentioned in
https://build.opensuse.org/request/show/718336 15.1 / qbittorrent
Comment 2 Swamp Workflow Management 2019-08-24 22:17:11 UTC
openSUSE-SU-2019:2005-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1141967
CVE References: CVE-2019-13640
Sources used:
openSUSE Leap 15.1 (src):    qbittorrent-4.1.5-lp151.2.3.1
Comment 3 Swamp Workflow Management 2019-08-30 10:11:59 UTC
openSUSE-SU-2019:2024-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1141967
CVE References: CVE-2019-13640
Sources used:
openSUSE Backports SLE-15-SP1 (src):    qbittorrent-4.1.5-bp151.3.3.1