Deluge
Opened 15 years ago
Closed 15 years ago
#961 closed bug (Fixed)
Update libtorrent for CVE-2009-1760
| Reported by: | rbu | Owned by: | andar |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Unknown | Version: | 1.1.8 |
| Keywords: | Cc: |
Description
Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge Torrent, and other applications, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) and partial relative pathname in a Multiple File Mode list element in a .torrent file.
advisory: http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/
Change History (2)
comment:1 Changed 15 years ago by andar
comment:2 Changed 15 years ago by andar
- Resolution set to fixed
- Status changed from new to closed
1.1.9 has been released to address this.
Note: See
TracTickets for help on using
tickets.
This has been done in svn since we automatically sync from the libtorrent repository, but the fix was not included in the last release (1.1.8). I will be making the 1.1.9 release shortly to address this.