[USN-711-1] KTorrent vulnerabilities
Subject: [USN-711-1] KTorrent vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
To: [email protected]
Cc: "[email protected]" <bugtraq@securityfocus.com.>,
[email protected]
X-Original-To: [email protected]
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -4.4
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.156
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-aTXlzfUR+t95VsDZnaL6"
Date: Mon, 26 Jan 2009 15:40:58 -0500
Message-Id: <1233002458.19266.1.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.3
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-aTXlzfUR+t95VsDZnaL6
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-711-1 January 26, 2009
ktorrent vulnerabilities
CVE-2008-5905, CVE-2008-5906
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 7.10:
ktorrent 2.2.1-0ubuntu3.1
Ubuntu 8.04 LTS:
ktorrent 2.2.5-0ubuntu1.1
Ubuntu 8.10:
ktorrent 3.1.2+dfsg.1-0ubuntu2.1
After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.
Details follow:
It was discovered that KTorrent did not properly restrict access when using=
the
web interface plugin. A remote attacker could use a crafted http request an=
d
upload arbitrary torrent files to trigger the start of downloads and seedin=
g.
(CVE-2008-5905)
It was discovered that KTorrent did not properly handle certain parameters =
when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1.diff.gz
Size/MD5: 8139 542d145b17f4c93e90358305f5082892
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1.dsc
Size/MD5: 679 5d731774f0370fa9347ff1d4a9fe59b3
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1.o=
rig.tar.gz
Size/MD5: 3763678 229a0615d9252510d9387079dd5bd86d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1_amd64.deb
Size/MD5: 2809826 64590eb7d61058feffe16b0c05c462de
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1_i386.deb
Size/MD5: 2764082 0e1d642f8f86576da7aadb1ba5915993
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_=
lpia.deb
Size/MD5: 2769980 979fbc6391793dd1b976b555614b8125
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1_powerpc.deb
Size/MD5: 2912698 5c0baa03be10092f5f9dae0ec33cf050
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0=
ubuntu3.1_sparc.deb
Size/MD5: 2764418 71d8cf3eb924098584948847752a69e7
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0=
ubuntu1.1.diff.gz
Size/MD5: 8186 887b90cfe0b14d6e654edf5f83d443a1
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0=
ubuntu1.1.dsc
Size/MD5: 679 1cf90260c7bb419ba83f280e0c242c1e
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5.o=
rig.tar.gz
Size/MD5: 3841204 f5cd0430250317eff85d8356d65c0a6f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0=
ubuntu1.1_amd64.deb
Size/MD5: 2812314 a60c001b92052ac0d269c894f4bafa7c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0=
ubuntu1.1_i386.deb
Size/MD5: 2749174 361a62003fe4029dd48b007f05a18848
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_=
lpia.deb
Size/MD5: 2762832 e458e9a11bf9d2db72c8af4d89936241
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_=
powerpc.deb
Size/MD5: 2894978 935494d19c317011e02041b204d042a5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_=
sparc.deb
Size/MD5: 2744550 5a1f3871c1a972155efcc1a77cac2788
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+d=
fsg.1-0ubuntu2.1.diff.gz
Size/MD5: 28491 2dfc78827267f8a0316f7b871a3c5795
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+d=
fsg.1-0ubuntu2.1.dsc
Size/MD5: 1616 9daa934ea811f90d15aafcb96bcb8b3e
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+d=
fsg.1.orig.tar.gz
Size/MD5: 3243464 d7ec6f8f7a77f9a460c99f9ba1d95cec
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1=
.2+dfsg.1-0ubuntu2.1_amd64.deb
Size/MD5: 10574990 4039eb82f82e92c60212a4639842fb8e
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+d=
fsg.1-0ubuntu2.1_amd64.deb
Size/MD5: 1876310 7d183d5f936776da921a26eb07852cf9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1=
.2+dfsg.1-0ubuntu2.1_i386.deb
Size/MD5: 10462534 b2a3142f8a5a73fac78af5651cb31a68
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+d=
fsg.1-0ubuntu2.1_i386.deb
Size/MD5: 1872266 7f2002e96efccf24fd12178a0ac2af91
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-=
0ubuntu2.1_lpia.deb
Size/MD5: 10485854 5b8f4fda1bb0b2e797a2b6d59bbe0f1a
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubu=
ntu2.1_lpia.deb
Size/MD5: 1891462 4b37c0d9502c46aa5f55e7cccd35c7b5
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-=
0ubuntu2.1_powerpc.deb
Size/MD5: 11060316 fd33f09a63abe5485884da105fd5de91
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubu=
ntu2.1_powerpc.deb
Size/MD5: 1947996 561ba5edef371c84a165d61a88df0b80
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-=
0ubuntu2.1_sparc.deb
Size/MD5: 10583140 b2957586c0802312c7e837336b2dfc10
http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubu=
ntu2.1_sparc.deb
Size/MD5: 1873550 2d38e242cfa474fb4c335a1ae2475482
--=-aTXlzfUR+t95VsDZnaL6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkl+H9oACgkQLMAs/0C4zNrskgCghLISn54Lf3blialkMRjeMuu6
2A0AoJtB/YrPe9zMvzUHiE4x6ag/snQ9
=/7SX
-----END PGP SIGNATURE-----
--=-aTXlzfUR+t95VsDZnaL6--