mailing list archives
Re: CVE request: Transmission can be made to crash remotely
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 11 Feb 2013 08:47:29 -0500 (EST)
to follow up on this one. The source of the issue
seems to be underlying libutp code:
more specifically the way how libutp (previously) handled
selective acknowledgements, which resulted in following two
Transmission upstream corrected this issue in v2.74:
with the following patch:
Ad assigning CVE ids - I think one CVE id is enough.
The problem is in libutp code, and Transmission upstream
seems to commit their own change only due to libutp
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: All the links from above at one place are at:
----- Original Message -----
On dim., 2013-02-10 at 11:50 +0100, Josselin Mouette wrote:
Tags: security patch upstream
Justification: user security hole
The transmission-daemon package in wheezy crashes regularly. According
to upstream this is a remote security hole (at least a remote DoS, but
most probably there is a way to take control of the process).
Apparently there is no CVE assigned. The bug is fixed upstream and I’m
attaching the patch. I’m currently testing a patched package, and will
report whether the fix is sufficient.
Could a CVE be assigned for this?
Thanks in advance,