USN-436-1: KTorrent vulnerabilities
Posted on: 03/13/2007 03:45 AM

A new KTorrent vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-436-1 March 12, 2007
ktorrent vulnerabilities
CVE-2007-1384, CVE-2007-1385
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
ktorrent 1.2-0ubuntu5.1

Ubuntu 6.10:
ktorrent 2.0.3+dfsg1-0ubuntu1.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

Bryan Burns of Juniper Networks discovered that KTorrent did not
correctly validate the destination file paths nor the HAVE statements
sent by torrent peers. A malicious remote peer could send specially
crafted messages to overwrite files or execute arbitrary code with user
privileges.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1.diff.gz
Size/MD5: 43785 79df81a2daf88ed095153f8b664f7da4
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1.dsc
Size/MD5: 785 b33cc9609741465d1acfed4c3e86c87e
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2.ori=
g.tar.gz
Size/MD5: 1447380 55c6c4ae679aea0ba0370058856ddb92

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1_amd64.deb
Size/MD5: 799590 1e15c2c9901fe1bd815d3ebebc33c841

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1_i386.deb
Size/MD5: 756604 9d33c77836ca569ac77e5cb1e43727e5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1_powerpc.deb
Size/MD5: 790462 59620e287be8fa5f39725c579516d580

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.1_sparc.deb
Size/MD5: 759414 53bcc7c1baf8bf5a6d2f21fd4677ab34

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1.diff.gz
Size/MD5: 336981 510bbd0ce41892c3f73580c6912e8cca
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1.dsc
Size/MD5: 754 fba0cabd58450420a144ce4aceec77e1
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1.orig.tar.gz
Size/MD5: 2183661 891f2cc509331a4283f958b068bbcf7d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1_amd64.deb
Size/MD5: 1220846 74e7cbb176c3167fd3ebc1262a83fb69

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1_i386.deb
Size/MD5: 1182658 0d40b9c135c6f835da909aee5a7320a5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1_powerpc.deb
Size/MD5: 1205360 1748f978c4bd43e805bd64615e5cebee

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.1_sparc.deb
Size/MD5: 1159794 8c7988c495afa48bae90fc1d21f49d71


--orO6xySwJI16pVnm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF9f9NH/9LqRcGPm0RAvZ2AKCFXEhFZqW9uhfR6iIF1f0HiUUTVwCeMQjq
mzrMEOGN5P1Y+p800FaMjDU=
=Uxu3
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_436_1_ktorrent_vulnerabilities.html)