ktorrent.org Forum Index ktorrent.org
KTorrent's forum
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

2.1.2 released

 
Post new topic   Reply to topic    ktorrent.org Forum Index -> Development
View previous topic :: View next topic  
Author Message
George
Site Admin


Joined: 19 Sep 2005
Posts: 2153

PostPosted: Fri Mar 09, 2007 6:24 pm    Post subject: 2.1.2 released Reply with quote

Bryan Burns of Juniper networks found 2 security vulnerabilities in KTorrent. These have now been fixed in the 2.1.2 release.

This is just 2.1.1 with these 2 fixes. It would be advisable to upgrade.
Back to top
View user's profile Send private message [ Hidden ]
Linder



Joined: 07 Jan 2007
Posts: 26

PostPosted: Fri Mar 09, 2007 6:48 pm    Post subject: Reply with quote

How severe are they? How worried should I be using kTorrent 2.1 for a couple of weeks ahead?
Back to top
View user's profile Send private message  
George
Site Admin


Joined: 19 Sep 2005
Posts: 2153

PostPosted: Fri Mar 09, 2007 7:06 pm    Post subject: Reply with quote

Personally I don't think they are that bad.

One is just the fact that we accepted .. in paths of filenames.

So you could have multifile torrents with the following files :
../../foo/bar/avi

That's not really dangerous and you can easily see that when you get to the file selection dialog. You could overwrite some files, but not system files (provided you are not running as root).

The other is a problem where we accepted have messages with bogus chunk indexes. I'm not really convinced if this can be exploited, but I'm no hacker.
Back to top
View user's profile Send private message [ Hidden ]
jdong



Joined: 18 Sep 2006
Posts: 201

PostPosted: Fri Mar 09, 2007 8:51 pm    Post subject: Reply with quote

The first bug is much more concerning than the second (I too am no hacker), but one can more or less brute-force #1 to install bashrc's with bogus paths... and on a 100-file torrent people will not look thru all the files Smile


In any case, 2.1.2 candidate packages are up for review in Feisty, I am currently cranking out Edgy and Dapper variants of them, expect packages in about 30 minutes.
Back to top
View user's profile Send private message  
jdong



Joined: 18 Sep 2006
Posts: 201

PostPosted: Fri Mar 09, 2007 9:11 pm    Post subject: Reply with quote

Edgy:
http://buntudot.org/people/~jdong/ktorrent/2.1.2/edgy/ktorrent_2.1.2-0ubuntu1~6.10prevu1_i386.deb

Dapper:
http://buntudot.org/people/~jdong/ktorrent/2.1.2/dapper/ktorrent_2.1.2-0ubuntu1~6.06prevu1_i386.deb
Back to top
View user's profile Send private message  
KVV



Joined: 10 Mar 2007
Posts: 1

PostPosted: Sat Mar 10, 2007 11:35 am    Post subject: Reply with quote

I don't like in new KTorrnet version, that you remove the Downloads | Uploads | Search !
They were very cool. . .but now. . .with this section Groups...bad Sad
I'm still with 2.0.3 and I will now upgrade...
Please, just make plugin that enable these tabs!
Now ktorrent is ugly!
Back to top
View user's profile Send private message  
George
Site Admin


Joined: 19 Sep 2005
Posts: 2153

PostPosted: Sat Mar 10, 2007 11:40 am    Post subject: Reply with quote

That has already been addressed in the SVN version.
Back to top
View user's profile Send private message [ Hidden ]
jdong



Joined: 18 Sep 2006
Posts: 201

PostPosted: Tue Mar 13, 2007 3:37 am    Post subject: Reply with quote

Ok, update on the Ubuntu packaging situation:

(1) Kubuntu and Ubuntu leaders are not interested in the 2.1.1 or 2.1.2 bugfix releases being in Feisty, because of the magnitude of changes

(2) The 2.1.2 security fixes have been backported for every Ubuntu release from breezy to feisty! So users are safe in the security sense.

(3) Edgy and Dapper users can use the packages I posted above if they really want a 2.1.2.

(4) Feisty will get 2.1.2 from me when the development slows down a bit (i.e. Beta or RC release)

(5) When Feisty+1's development repositories open (like a week after Feisty's release), I will begin the backporting process of official 2.1.2 packages.
Back to top
View user's profile Send private message  
Display posts from previous:   
Post new topic   Reply to topic    ktorrent.org Forum Index -> Development All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2002 phpBB Group