lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 8 Jun 2009 20:43:29 +0300 (EEST)
From: Dimitris Glynos <>
Subject: Rasterbar libtorrent arbitrary file overwrite vulnerability

'libtorrent' is an open-source C++ bittorrent library by Rasterbar
Software that is used in many desktop applications and embedded devices.
Popular BitTorrent clients that use this library are 'firetorrent',
'qBittorrent' and 'deluge Torrent'. For a more comprehensive list
of libtorrent-based applications, see [1].

I have discovered an 'arbitrary file overwrite' vulnerability in
libtorrent that allows an attacker to create and modify arbitrary files
(and directories) with the effective rights of the user executing
the vulnerable libtorrent-based application.

libtorrent (up to and including version 0.14.3) employs an insufficient
path sanitization method that allows the formulation of relative paths
from the path elements found in .torrent files. Specifically, this
applies to .torrent files that describe multiple files (see
"Multiple File Mode" [2]). An adversary could use such relative paths,
in a specially crafted .torrent file, to replace or create files in
vulnerable systems.

See [3] for more information regarding the nature of this vulnerability.

The maintainer of libtorrent has been contacted and a new version (0.14.4)
of the library that fixes this issue has been released [4],[5]. All
affected parties are advised to upgrade to the latest release.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the candidate name CVE-2009-1760 to this issue.

Vendor notification date:       May 27th, 2009
Vendor acknowledgement date:    May 28th, 2009
Vendor bugfix release date:     June 1st, 2009
Public disclosure date:         June 8th, 2009

With kind regards,

Dimitris Glynos
-- / IT security research, development and services


Powered by blists - more mailing lists