Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[USN-885-1] Transmission vulnerabilities
From: Jamie Strandboge <jamie () canonical com>
Date: Thu, 14 Jan 2010 12:44:22 -0600

===========================================================
Ubuntu Security Notice USN-885-1           January 14, 2010
transmission vulnerabilities
CVE-2009-1757, CVE-2010-0012
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  transmission-cli                1.06-0ubuntu6.1
  transmission-gtk                1.06-0ubuntu6.1

Ubuntu 8.10:
  transmission-cli                1.34-0ubuntu2.3
  transmission-gtk                1.34-0ubuntu2.3

Ubuntu 9.04:
  transmission-cli                1.51-0ubuntu3.1
  transmission-gtk                1.51-0ubuntu3.1

Ubuntu 9.10:
  transmission-cli                1.75-0ubuntu2.2
  transmission-gtk                1.75-0ubuntu2.2
  transmission-qt                 1.75-0ubuntu2.2

After a standard system upgrade you need to restart Transmission to effect
the necessary changes.

Details follow:

It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)

Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.diff.gz
      Size/MD5:    11532 d00f5ae62fa91ab4ddb3cd1c26856666
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06-0ubuntu6.1.dsc
      Size/MD5:     1116 3b62b133deca8b2e70635f3f90aef7ac
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.06.orig.tar.gz
      Size/MD5:  5059106 0073841635cc1e61ec725160b8a7a358

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.06-0ubuntu6.1_all.deb
      Size/MD5:    14272 d94c612943dce26b75a79fade345cfe6
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.06-0ubuntu6.1_all.deb
      Size/MD5:      918 61e1dc579d951a4680698706a17bd3ea

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_amd64.deb
      Size/MD5:   265288 722018b52a0420470d22628a34cd3d16
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_amd64.deb
      Size/MD5:   394298 9a6c437e1368a5af80c7374f3376f1c0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_i386.deb
      Size/MD5:   250598 047794218f9ff6891077d2501cf30113
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_i386.deb
      Size/MD5:   361264 e9ac5569928691ca26007f4a6b6b703b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_lpia.deb
      Size/MD5:   247834 5253a82b3394d4a69f2eb5160718fcdd
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_lpia.deb
      Size/MD5:   358348 40f4c4e498669042187b0ef9be1b863e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_powerpc.deb
      Size/MD5:   290390 47cfd7d7950cf77f584e913247c1b54d
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_powerpc.deb
      Size/MD5:   441040 74f777dca45370cf200008f21c1bf449

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.06-0ubuntu6.1_sparc.deb
      Size/MD5:   251970 c4fb56ea87efd5136ce72d9fda54b4a0
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.06-0ubuntu6.1_sparc.deb
      Size/MD5:   363224 8f930290cda469fe08367bf7596a8534

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.diff.gz
      Size/MD5:    17297 a339c2d7a5d13c396ce8471214f5ac88
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34-0ubuntu2.3.dsc
      Size/MD5:     1553 18165c72efbb3697cc103db601240411
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.34.orig.tar.gz
      Size/MD5:  6576998 18973d58ef3e9936fc854f4e88cf4a1c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.34-0ubuntu2.3_all.deb
      Size/MD5:   143450 e73d3b5c2f7d5b4ffa8b42a31f3967cf
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.34-0ubuntu2.3_all.deb
      Size/MD5:      922 a212710fd05212893e051066ee7e268c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_amd64.deb
      Size/MD5:   338196 75da571c8e09fa448415b5ee96e88052
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_amd64.deb
      Size/MD5:   644464 5cef27ba35fda1680525296dad6de416

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_i386.deb
      Size/MD5:   314384 a7b996a4eaff1cd6ea36ee18698c7b9a
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_i386.deb
      Size/MD5:   591144 a940a8a5f787060fca4ae8c2794cc22b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_lpia.deb
      Size/MD5:   310472 266e132eef131a23d6caa74e8dfabb81
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_lpia.deb
      Size/MD5:   582392 0b4eb7c3562acdd352587d3e78703ed2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_powerpc.deb
      Size/MD5:   360310 0165994b599a430f7e7ae41fab25cd66
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_powerpc.deb
      Size/MD5:   704174 df350e777eaf7bdf87673fd71494a35d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.34-0ubuntu2.3_sparc.deb
      Size/MD5:   311594 dabe39e1da4d693c7189f02d5422a04c
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.34-0ubuntu2.3_sparc.deb
      Size/MD5:   579250 f142cd566f075a71e693668b48c8f711

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.diff.gz
      Size/MD5:    24490 0baa3ef499573c1e89cce6d6cb848328
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51-0ubuntu3.1.dsc
      Size/MD5:     1598 f693615ed24d4f4e5b8886325e0d123d
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.51.orig.tar.gz
      Size/MD5:  5957327 3ab369ba9027e19ffdd1de66df05ba4f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.51-0ubuntu3.1_all.deb
      Size/MD5:   145980 fe4b2f64b5f286ab5d39d7ab73d5b98f
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.51-0ubuntu3.1_all.deb
      Size/MD5:      920 953f2d2201648c1fa094a90115cf415b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_amd64.deb
      Size/MD5:   357900 3514ead45152bbf76036903e47be0a1c
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_amd64.deb
      Size/MD5:   476168 6d3680a980ee1b592980b0b10722ef3b
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_amd64.deb
      Size/MD5:   232404 5a1338bed463c1a78fdc53ec931dbc1c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_i386.deb
      Size/MD5:   335040 39b83444267dda6ec1c0e8e5da8f73c6
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_i386.deb
      Size/MD5:   441532 4645ced62475f99387a19fe48b84b685
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_i386.deb
      Size/MD5:   214318 7aba6cac5ac750c6b9dff52b43b2d3cb

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_lpia.deb
      Size/MD5:   329340 ae96622495e47e51b89b4f658d5457c4
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_lpia.deb
      Size/MD5:   432932 496dfaf1f49d854295318d04b6fab554
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_lpia.deb
      Size/MD5:   210720 4844d827b922a952155584c0e77d793f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_powerpc.deb
      Size/MD5:   380206 6888a1c04fe31018b6e2862e7166a0fd
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_powerpc.deb
      Size/MD5:   514886 533cadf1855c8a1f2a2e370e64587455
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_powerpc.deb
      Size/MD5:   250180 eec5961a7101039ad266a95079af97ca

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.51-0ubuntu3.1_sparc.deb
      Size/MD5:   331716 ea4a56b65f845af3e1f0b81aeeb1df02
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.51-0ubuntu3.1_sparc.deb
      Size/MD5:   431488 4693c3c826f95943b153b7025d09ad84
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.51-0ubuntu3.1_sparc.deb
      Size/MD5:   209510 de01528b01ebff556aec2102162586a1

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.diff.gz
      Size/MD5:   162354 615f470d226802b77c1d711945f2e2d3
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75-0ubuntu2.2.dsc
      Size/MD5:     1612 1d15228514d73e475f6fd0b14d87be23
    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission_1.75.orig.tar.gz
      Size/MD5:  6681496 c0dc27e7b2b115fc6e6fc5fc24e49091

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-common_1.75-0ubuntu2.2_all.deb
      Size/MD5:   176072 8f1c73238021806cd7efc4bde1f28d46
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission_1.75-0ubuntu2.2_all.deb
      Size/MD5:      922 c3e2851cbb5fa7677f267437c49c2537

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_amd64.deb
      Size/MD5:   317704 6374651cb303bb4e5828834645c61990
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_amd64.deb
      Size/MD5:   395338 a29a8a45791d0b0a2b933bd353f662a9
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_amd64.deb
      Size/MD5:   193326 99894adc21a2b180648e35c26b84a489
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_amd64.deb
      Size/MD5:   466460 d4961ed6131494db9b8b88bb0abceb07

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_i386.deb
      Size/MD5:   296916 f1aca01266c554afcaf5326d5c794fdb
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_i386.deb
      Size/MD5:   365018 4d9d974fe9827d8ef27d23b8a8c77a79
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_i386.deb
      Size/MD5:   177554 bdbee974b9b2f0991ae50fe7ef41a272
    http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_i386.deb
      Size/MD5:   442314 a5ad4c269bab8e18a8a3d94d5fecf885

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_lpia.deb
      Size/MD5:   296494 a83907ed3f3d40d14c3cba28c1633b68
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_lpia.deb
      Size/MD5:   365946 fa65ff7adb23a470498ea8af761eddf0
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_lpia.deb
      Size/MD5:   177378 1f963b664a4698953bd3fc812222437b
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_lpia.deb
      Size/MD5:   449438 bea029d30f55d7923a9806aa142c7a62

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_powerpc.deb
      Size/MD5:   316620 2181995c3049e92b0ca1a81cd2ad27b2
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_powerpc.deb
      Size/MD5:   397630 10bc710de5c9d49445b703f91152981b
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_powerpc.deb
      Size/MD5:   192460 2fadcc159f0d3f3df08ec3845ec50f30
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_powerpc.deb
      Size/MD5:   468876 bdaf4da901683771db1a450e385fa4b8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75-0ubuntu2.2_sparc.deb
      Size/MD5:   293898 6892dd2c4fcd781d233604f5a0a4443c
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_1.75-0ubuntu2.2_sparc.deb
      Size/MD5:   358756 d94bf198cc880e78d33d5a68493376ee
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daemon_1.75-0ubuntu2.2_sparc.deb
      Size/MD5:   173830 038a09f38e3a280bc70f8608013442d3
    http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1.75-0ubuntu2.2_sparc.deb
      Size/MD5:   484760 5ddea92faf999e6e5d38ed803e61baba


Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [USN-885-1] Transmission vulnerabilities Jamie Strandboge (Jan 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]