USN-436-2: KTorrent vulnerability
Posted on: 05/19/2007 12:55 AM

A new KTorrent vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-436-2 May 18, 2007
ktorrent vulnerability
CVE-2007-1799
==========================
==========================
=========

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
ktorrent 1.2-0ubuntu5.2

Ubuntu 6.10:
ktorrent 2.0.3+dfsg1-0ubuntu1.2

Ubuntu 7.04:
ktorrent 2.1-0ubuntu2.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

USN-436-1 fixed a vulnerability in KTorrent. The original fix for path
traversal was incomplete, allowing for alternate vectors of attack.
This update solves the problem.

Original advisory details:

Bryan Burns of Juniper Networks discovered that KTorrent did not
correctly validate the destination file paths nor the HAVE statements
sent by torrent peers. A malicious remote peer could send specially
crafted messages to overwrite files or execute arbitrary code with user
privileges.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2.diff.gz
Size/MD5: 43908 4b55922fe7424a6917521604a1a30bd6
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2.dsc
Size/MD5: 785 f3b9690bf3818c509f96680ebaa7f597
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2.ori=
g.tar.gz
Size/MD5: 1447380 55c6c4ae679aea0ba0370058856ddb92

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2_amd64.deb
Size/MD5: 799786 b1bd2e290ab006d9f3b4fba8b5c89e1f

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2_i386.deb
Size/MD5: 756728 cbd80bdb43896a174336226b5f97cce4

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2_powerpc.deb
Size/MD5: 790630 e89da3850d7ffb80b8512ba7a454ad9f

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_1.2-0ub=
untu5.2_sparc.deb
Size/MD5: 759562 e47ed41ae1ca4543bd9c642ff2b0eff9

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2.diff.gz
Size/MD5: 337132 a946ad69c0bf0041c27432874e14455d
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2.dsc
Size/MD5: 754 c3d171b3a900e009d0bf01802045c4be
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1.orig.tar.gz
Size/MD5: 2183661 891f2cc509331a4283f958b068bbcf7d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2_amd64.deb
Size/MD5: 1221058 9b5c8a651ad77cf6b92216ede3535567

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2_i386.deb
Size/MD5: 1182820 cac90a9294b823590345661faa1e5847

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2_powerpc.deb
Size/MD5: 1205294 7cbfc992145b665864ad260352550e12

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.0.3+d=
fsg1-0ubuntu1.2_sparc.deb
Size/MD5: 1159814 0503cdf19dfa44f0b5acc3b65a69aa71

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1.diff.gz
Size/MD5: 7286 ae881c04eaa732f36ebbf827f24427bf
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1.dsc
Size/MD5: 749 e1bb6d3f0d0b6f8b92079fa27cb8c3d1
http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1.ori=
g.tar.gz
Size/MD5: 3459985 2e3c350fe02b68936a6f8f6460fae8f6

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1_amd64.deb
Size/MD5: 2445288 db1df770f52eaad7ac5752c0e82e2473

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1_i386.deb
Size/MD5: 2404202 8cf7a153dac6556701bb54751b5f65a1

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1_powerpc.deb
Size/MD5: 2538566 6752811ccc287953e08fa5922fcf8e73

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.1-0ub=
untu2.1_sparc.deb
Size/MD5: 2408286 576d5404aea241223ac804a4c72cf5ae


--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGTiAgH/9LqRcGPm0RAid3AJsF5D/enujyq5tfVN+ZEGLCzG6MUwCgnXdR
U5LOqh24tuIeU7AFk0FvpzI=
=fjgj
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_436_2_ktorrent_vulnerability.html)