[CVE pending] security patch for net/transmission

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE pending] security patch for net/transmission

Josh Grosse-3
The attached patch against transmission 2.92 has been tested
on amd64, but could use additional testing.  It mitigates a DNS
rebinding attack against transmission-daemon.

Upstream is aware of the security issue but has not yet taken
action to date.

net.transmission.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CVE pending] security patch for net/transmission

Josh Grosse-3
Revised to eliminate conflict with Makefile 1.122, revised
after the patch had been built.

net.transmission.v2.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CVE pending] security patch for net/transmission

Stuart Henderson
On 2018/01/15 09:08, Josh Grosse wrote:
> Revised to eliminate conflict with Makefile 1.122, revised
> after the patch had been built.

> Index: Makefile
> ===================================================================
> RCS file: /systems/cvs/ports/net/transmission/Makefile,v
> retrieving revision 1.122
> diff -u -p -r1.122 Makefile
> --- Makefile 12 Jan 2018 16:09:42 -0000 1.122
> +++ Makefile 15 Jan 2018 14:03:29 -0000
> @@ -10,7 +10,7 @@ PKGNAME-main= transmission-${VER}
>  PKGNAME-gtk= transmission-gtk-${VER}
>  PKGNAME-qt= transmission-qt-${VER}
>  REVISION= 5
> -REVISION-main= 6
> +REVISION-main= 7

Unless you know it's safe not to, it's probably best to bump all
subpackages (or just remove REVISION-main and set REVISION=7).

Does this need more testing or are you happy with it now?

Reply | Threaded
Open this post in threaded view
|

Re: [CVE pending] security patch for net/transmission

Josh Grosse-3
On Mon, Jan 15, 2018 at 02:45:59PM +0000, Stuart Henderson wrote:
> Unless you know it's safe not to, it's probably best to bump all
> subpackages (or just remove REVISION-main and set REVISION=7).

Thanks for the suggestion!  A "v3" patch set is attached.
 
> Does this need more testing or are you happy with it now?
 
I haven't had much time to test. I would like at least
a second person's review before considering this to be
commit-ready.

net.transmission.v3.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [CVE pending] security patch for net/transmission

Josh Grosse-3
Assigned CVE-2018-5702, and merged into upstream's HEAD for deployment
as a milestone in their upcoming release 2.93.