Opened 15 years ago

Closed 15 years ago

#961 closed bug (Fixed)

Update libtorrent for CVE-2009-1760

Reported by: rbu Owned by: andar
Priority: major Milestone:
Component: Unknown Version: 1.1.8
Keywords: Cc:

Description

Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge Torrent, and other applications, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) and partial relative pathname in a Multiple File Mode list element in a .torrent file.

advisory: http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/

patch: http://code.rasterbar.com/libtorrent/changeset/3580

Change History (2)

comment:1 by andar, 15 years ago

This has been done in svn since we automatically sync from the libtorrent repository, but the fix was not included in the last release (1.1.8). I will be making the 1.1.9 release shortly to address this.

comment:2 by andar, 15 years ago

Resolution: fixed
Status: newclosed

1.1.9 has been released to address this.

Note: See TracTickets for help on using tickets.