From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 18:21:22 2018 Received: (at submit) by debbugs.gnu.org; 11 Jan 2018 23:21:22 +0000 Received: from localhost ([127.0.0.1]:52677 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZm9r-0000XB-G1 for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:21:22 -0500 Received: from eggs.gnu.org ([208.118.235.92]:45918) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZm9n-0000Ww-8l for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:21:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZm9f-00051O-SB for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:21:06 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49932) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZm9f-00051C-OM for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:21:03 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZm9c-00010N-IP for guix-patches@gnu.org; Thu, 11 Jan 2018 18:21:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZm9X-0004vG-La for guix-patches@gnu.org; Thu, 11 Jan 2018 18:21:00 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:50105) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZm9X-0004ua-AS for guix-patches@gnu.org; Thu, 11 Jan 2018 18:20:55 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D7ADA20BF3; Thu, 11 Jan 2018 18:20:54 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 11 Jan 2018 18:20:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=cSDTQRxkY9rU2p1b8CcJlGNKAZkGHic++FKHnF n/Xr8=; b=ek2MWLIFSxaJkKDA3+tocKtDFKBUdI7FWrLfIQaVShYg4yQ3Ys3Oka Dx+aq7m3hslJuiruqNy9SFmD99rBC2+ZQ9Ju4v5gPTTzqkC62PlHyVL3PoER/TVD DKgBsmDbwv9/1PDkssoos5sJ12zTlEqk63f5qZ1BWYclncoFC3uAY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=cSDTQRxkY9rU2p1b8 CcJlGNKAZkGHic++FKHnFn/Xr8=; b=OGCtKKv+8ZfnDEB0w4CD7d+w7ZeiPe+FR f4rSFzMyGJCEpw3tOU5LCY196ukGtxCeR4mjfZQV8j7i0sfQttf85ubQt3B6Gmap tStCahl1kM2QT4Q32VVK9r0DqgEfV4XGkcEroCbBvuajFutA1zSjKR/EMSEiphrb u3AcevduzCee2/X5/iAPo5QdSivi5GVnI/ow7L6G/e+0N+E4Rmj0imgOW4L1jt1E UuERm8+j4B0lhpw+75a6iilrTFE4H/zAMkZZUt75AtHK6+d/dDigXBaWhejDqB9Q 7UlYfRZf5Codtdl5OclbsQl56ZDJb5yw38uii88o3KItJFHualirw== X-ME-Sender: Received: from jasmine.lan (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id 600892473E for ; Thu, 11 Jan 2018 18:20:54 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: transmission: Fix a DNS rebinding vulnerability that allows RCE. Date: Thu, 11 Jan 2018 15:20:48 -0800 Message-Id: <139e227515c0e99297951c92d498e3c01f34ccf4.1515712746.git.leo@famulari.name> X-Mailer: git-send-email 2.15.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) As the patch commentary says, I adapted this patch to apply to the latest Transmission release. However, there is a new test failure with these changes, so I'm waiting for advice: https://github.com/transmission/transmission/pull/468#issuecomment-357091126 * gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/bittorrent.scm (transmission)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/bittorrent.scm | 1 + .../transmission-fix-dns-rebinding-vuln.patch | 302 +++++++++++++++++++++ 3 files changed, 304 insertions(+) create mode 100644 gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch diff --git a/gnu/local.mk b/gnu/local.mk index eec46af0d..c77c446ee 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1107,6 +1107,7 @@ dist_patch_DATA = \ %D%/packages/patches/tipp10-fix-compiling.patch \ %D%/packages/patches/tipp10-remove-license-code.patch \ %D%/packages/patches/tk-find-library.patch \ + %D%/packages/patches/transmission-fix-dns-rebinding-vuln.patch \ %D%/packages/patches/ttf2eot-cstddef.patch \ %D%/packages/patches/ttfautohint-source-date-epoch.patch \ %D%/packages/patches/tophat-build-with-later-seqan.patch \ diff --git a/gnu/packages/bittorrent.scm b/gnu/packages/bittorrent.scm index eca064620..800a42eea 100644 --- a/gnu/packages/bittorrent.scm +++ b/gnu/packages/bittorrent.scm @@ -66,6 +66,7 @@ (uri (string-append "https://transmission.cachefly.net/transmission-" version ".tar.xz")) + (patches (search-patches "transmission-fix-dns-rebinding-vuln.patch")) (sha256 (base32 "0pykmhi7pdmzq47glbj8i2im6iarp4wnj4l1pyvsrnba61f0939s")))) diff --git a/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch b/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch new file mode 100644 index 000000000..5c3b6d165 --- /dev/null +++ b/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch @@ -0,0 +1,302 @@ +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +diff --git a/libtransmission/quark.c b/libtransmission/quark.c +index 30cc2bca4..6de4bc221 100644 +--- a/libtransmission/quark.c ++++ b/libtransmission/quark.c +@@ -297,6 +297,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-version-minimum", 19 }, + { "rpc-whitelist", 13 }, + { "rpc-whitelist-enabled", 21 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "scrape", 6 }, + { "scrape-paused-torrents-enabled", 30 }, + { "scrapeState", 11 }, +diff --git a/libtransmission/quark.h b/libtransmission/quark.h +index 7f5212733..21723dea9 100644 +--- a/libtransmission/quark.h ++++ b/libtransmission/quark.h +@@ -299,6 +299,8 @@ enum + TR_KEY_rpc_version_minimum, + TR_KEY_rpc_whitelist, + TR_KEY_rpc_whitelist_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_scrape, + TR_KEY_scrape_paused_torrents_enabled, + TR_KEY_scrapeState, +diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c +index a3485f3fa..a048dc8aa 100644 +--- a/libtransmission/rpc-server.c ++++ b/libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++ bool isHostWhitelistEnabled; + tr_port port; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++ tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const char * address) + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++ /* If password auth is enabled, any hostname is permitted. */ ++ if (server->isPasswordEnabled) ++ { ++ return true; ++ } ++ ++ char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++ /* No host header, invalid request. */ ++ if (host == NULL) ++ { ++ return false; ++ } ++ ++ /* Host header might include the port. */ ++ char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++ /* localhost or ipaddress is always acceptable. */ ++ if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ ++ /* Otherwise, hostname must be whitelisted. */ ++ if (server->isHostWhitelistEnabled) ++ { ++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) ++ { ++ if (tr_wildmat(hostname, l->data)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ } ++ } ++ ++ tr_free(hostname); ++ return false; ++} ++ + static bool + test_session_id (struct tr_rpc_server * server, struct evhttp_request * req) + { +@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * req, void * arg) + handle_upload (req, server); + } + #ifdef REQUIRE_SESSION_ID ++ else if (!isHostnameAllowed(server, req)) ++ { ++ char* tmp = tr_strdup_printf( ++ "

Transmission received your request, but the hostname was unrecognized.

" ++ "

To fix this, choose one of the following options:" ++ "

    " ++ "
  • Enable password authentication, then any hostname is allowed.
    • " ++ "
  • Add the hostname you want to use to the whitelist in settings.
    • " ++ "

" ++ "

If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.

" ++ "

This requirement has been added to help prevent " ++ "DNS Rebinding " ++ "attacks.

"); ++ send_simple_response(req, 421, tmp); ++ tr_free(tmp); ++ } ++ + else if (!test_session_id (server, req)) + { + const char * sessionId = get_current_session_id (server); +@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * req, void * arg) + "
  • When you get this 409 error message, resend your request with the updated header" + "

    " + "

    This requirement has been added to help prevent " +- "CSRF " ++ "CSRF " + "attacks.

    " + "

    %s: %s

    ", + TR_RPC_SESSION_ID_HEADER, sessionId); +@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * server) + return server->url ? server->url : ""; + } + +-void +-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) ++static void ++tr_rpcSetList (char const* whitelistStr, tr_list** list) + { + void * tmp; + const char * walk; + +- /* keep the string */ +- tmp = server->whitelistStr; +- server->whitelistStr = tr_strdup (whitelistStr); +- tr_free (tmp); +- + /* clear out the old whitelist entries */ +- while ((tmp = tr_list_pop_front (&server->whitelist))) ++ while ((tmp = tr_list_pop_front (list)) != NULL) + tr_free (tmp); + + /* build the new whitelist entries */ +@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) + const char * delimiters = " ,;"; + const size_t len = strcspn (walk, delimiters); + char * token = tr_strndup (walk, len); +- tr_list_append (&server->whitelist, token); ++ tr_list_append (list, token); + if (strcspn (token, "+-") < len) + tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'! Are you using an old ACL by mistake?)", token); + else +@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) + } + } + ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ tr_rpcSetList(whitelistStr, &server->hostWhitelist); ++} ++ ++void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ /* keep the string */ ++ char* const tmp = server->whitelistStr; ++ server->whitelistStr = tr_strdup(whitelistStr); ++ tr_free(tmp); ++ ++ tr_rpcSetList(whitelistStr, &server->whitelist); ++} ++ + const char* + tr_rpcGetWhitelist (const tr_rpc_server * server) + { +@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_server * server) + return server->isWhitelistEnabled; + } + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled) ++{ ++ server->isHostWhitelistEnabled = isEnabled; ++} ++ + /**** + ***** PASSWORD + ****/ +@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session * session, tr_variant * settings) + else + tr_rpcSetWhitelistEnabled (s, boolVal); + ++ key = TR_KEY_rpc_host_whitelist_enabled; ++ ++ if (!tr_variantDictFindBool(settings, key, &boolVal)) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelistEnabled(s, boolVal); ++ } ++ ++ key = TR_KEY_rpc_host_whitelist; ++ ++ if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelist(s, str); ++ } ++ + key = TR_KEY_rpc_authentication_required; + if (!tr_variantDictFindBool (settings, key, &boolVal)) + missing_settings_key (key); +diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h +index e0302c5ea..8c9e6b24e 100644 +--- a/libtransmission/rpc-server.h ++++ b/libtransmission/rpc-server.h +@@ -49,6 +49,10 @@ void tr_rpcSetWhitelist (tr_rpc_server * server, + + const char* tr_rpcGetWhitelist (const tr_rpc_server * server); + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled); ++ ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist); ++ + void tr_rpcSetPassword (tr_rpc_server * server, + const char * password); + +diff --git a/libtransmission/session.c b/libtransmission/session.c +index 844cadba8..58b717913 100644 +--- a/libtransmission/session.c ++++ b/libtransmission/session.c +@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant * d) + tr_variantDictAddStr (d, TR_KEY_rpc_username, ""); + tr_variantDictAddStr (d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST); + tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled, true); ++ tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST); ++ tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true); + tr_variantDictAddInt (d, TR_KEY_rpc_port, atoi (TR_DEFAULT_RPC_PORT_STR)); + tr_variantDictAddStr (d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR); + tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled, true); +diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h +index 4f76adfd6..e213a8f4e 100644 +--- a/libtransmission/transmission.h ++++ b/libtransmission/transmission.h +@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (void); + #define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0" + #define TR_DEFAULT_BIND_ADDRESS_IPV6 "::" + #define TR_DEFAULT_RPC_WHITELIST "127.0.0.1" ++#define TR_DEFAULT_RPC_HOST_WHITELIST "" + #define TR_DEFAULT_RPC_PORT_STR "9091" + #define TR_DEFAULT_RPC_URL_STR "/transmission/" + #define TR_DEFAULT_PEER_PORT_STR "51413" +diff --git a/libtransmission/web.c b/libtransmission/web.c +index ee495e9fc..c7f062730 100644 +--- a/libtransmission/web.c ++++ b/libtransmission/web.c +@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code) + case 415: return "Unsupported Media Type"; + case 416: return "Requested Range Not Satisfiable"; + case 417: return "Expectation Failed"; ++ case 421: return "Misdirected Request"; + case 500: return "Internal Server Error"; + case 501: return "Not Implemented"; + case 502: return "Bad Gateway"; -- 2.15.1 From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 18:39:31 2018 Received: (at 30082) by debbugs.gnu.org; 11 Jan 2018 23:39:31 +0000 Received: from localhost ([127.0.0.1]:52690 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZmRW-0000wu-FX for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:39:31 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42589) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZmRQ-0000wh-Lt for 30082@debbugs.gnu.org; Thu, 11 Jan 2018 18:39:29 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6103720B95; Thu, 11 Jan 2018 18:39:24 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 11 Jan 2018 18:39:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=6gVgrbzjPVio6tnoWJ6TUIe8QKpVrQ6RLgVj6x fsFLM=; b=TU7EYMB2WL5jFSuk3JGBcdHrM3mGnZ5O5q3BQV458szgl+PztE2aZm Q72kTgXKfKZBTJGmbuO8D+fzgvqHwdouPxHVDBN1BcpldEQ2/YK12xl5Q5fLgEFY Nq5JrQjzGZas3aD4AYP0frJsJYGAkWG9DX8S2Au9p4VbNJBub1xLU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=6gVgrbzjPVio6tnoW J6TUIe8QKpVrQ6RLgVj6xfsFLM=; b=UCGed+WMFREtyCdkFLBcg+CAm6+PGqHYW rXD0+H1baGPUDmUfV5GjyTJIgnDMgkaSZXU7DsuUGJoOKd9hidE06p/3oAgUEEtc 6SMg7DXgrGpTyPTgG7rImC2YTheAeokGgFWA2Ijj/647hVV9phrwOus4LZDZ6g9I 2tpdQAwhdCSpuoT5GheNDVdrkY1W4YpJrQBEl8gTg4wTMIvnTBciYOiKPllp+mgk IZRu//gqmlDpbesYtvNG20kaFIynYmwpzdqhGbqQ6pMznVRHcbQmvO1o6VlhFtC3 BQlBy444d4HFwqeGitAUPMuez4sQQEYO99RuSiznm5RQd1tbPm1LA== X-ME-Sender: Received: from jasmine.lan (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id DC764246CC for <30082@debbugs.gnu.org>; Thu, 11 Jan 2018 18:39:23 -0500 (EST) From: Leo Famulari To: 30082@debbugs.gnu.org Subject: [v2] gnu: transmission: Fix a DNS rebinding vulnerability that allows RCE. Date: Thu, 11 Jan 2018 15:39:17 -0800 Message-Id: <723dcdea4d11c70e1f7731b3abfdca424a930743.1515713957.git.leo@famulari.name> X-Mailer: git-send-email 2.15.1 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30082 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) * gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/bittorrent.scm (transmission)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/bittorrent.scm | 1 + .../transmission-fix-dns-rebinding-vuln.patch | 302 +++++++++++++++++++++ 3 files changed, 304 insertions(+) create mode 100644 gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch diff --git a/gnu/local.mk b/gnu/local.mk index eec46af0d..c77c446ee 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1107,6 +1107,7 @@ dist_patch_DATA = \ %D%/packages/patches/tipp10-fix-compiling.patch \ %D%/packages/patches/tipp10-remove-license-code.patch \ %D%/packages/patches/tk-find-library.patch \ + %D%/packages/patches/transmission-fix-dns-rebinding-vuln.patch \ %D%/packages/patches/ttf2eot-cstddef.patch \ %D%/packages/patches/ttfautohint-source-date-epoch.patch \ %D%/packages/patches/tophat-build-with-later-seqan.patch \ diff --git a/gnu/packages/bittorrent.scm b/gnu/packages/bittorrent.scm index eca064620..800a42eea 100644 --- a/gnu/packages/bittorrent.scm +++ b/gnu/packages/bittorrent.scm @@ -66,6 +66,7 @@ (uri (string-append "https://transmission.cachefly.net/transmission-" version ".tar.xz")) + (patches (search-patches "transmission-fix-dns-rebinding-vuln.patch")) (sha256 (base32 "0pykmhi7pdmzq47glbj8i2im6iarp4wnj4l1pyvsrnba61f0939s")))) diff --git a/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch b/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch new file mode 100644 index 000000000..a3a0cf160 --- /dev/null +++ b/gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch @@ -0,0 +1,302 @@ +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +diff --git a/libtransmission/quark.c b/libtransmission/quark.c +index 30cc2bca4..b4fd7aabd 100644 +--- a/libtransmission/quark.c ++++ b/libtransmission/quark.c +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, +diff --git a/libtransmission/quark.h b/libtransmission/quark.h +index 7f5212733..17464be8f 100644 +--- a/libtransmission/quark.h ++++ b/libtransmission/quark.h +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, +diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c +index a3485f3fa..292cd5fce 100644 +--- a/libtransmission/rpc-server.c ++++ b/libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++ bool isHostWhitelistEnabled; + tr_port port; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++ tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const char * address) + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++ /* If password auth is enabled, any hostname is permitted. */ ++ if (server->isPasswordEnabled) ++ { ++ return true; ++ } ++ ++ char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++ // If whitelist is disabled, no restrictions. ++ if (!server->isHostWhitelistEnabled) ++ return true; ++ ++ /* No host header, invalid request. */ ++ if (host == NULL) ++ { ++ return false; ++ } ++ ++ /* Host header might include the port. */ ++ char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++ /* localhost or ipaddress is always acceptable. */ ++ if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ ++ /* Otherwise, hostname must be whitelisted. */ ++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { ++ if (tr_wildmat(hostname, l->data)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ } ++ ++ tr_free(hostname); ++ return false; ++} ++ + static bool + test_session_id (struct tr_rpc_server * server, struct evhttp_request * req) + { +@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * req, void * arg) + handle_upload (req, server); + } + #ifdef REQUIRE_SESSION_ID ++ else if (!isHostnameAllowed(server, req)) ++ { ++ char* tmp = tr_strdup_printf( ++ "

    Transmission received your request, but the hostname was unrecognized.

    " ++ "

    To fix this, choose one of the following options:" ++ "

      " ++ "
    • Enable password authentication, then any hostname is allowed.
      • " ++ "
    • Add the hostname you want to use to the whitelist in settings.
      • " ++ "

    " ++ "

    If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.

    " ++ "

    This requirement has been added to help prevent " ++ "DNS Rebinding " ++ "attacks.

    "); ++ send_simple_response(req, 421, tmp); ++ tr_free(tmp); ++ } ++ + else if (!test_session_id (server, req)) + { + const char * sessionId = get_current_session_id (server); +@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * req, void * arg) + "
  • When you get this 409 error message, resend your request with the updated header" + "

    " + "

    This requirement has been added to help prevent " +- "CSRF " ++ "CSRF " + "attacks.

    " + "

    %s: %s

    ", + TR_RPC_SESSION_ID_HEADER, sessionId); +@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * server) + return server->url ? server->url : ""; + } + +-void +-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) ++static void ++tr_rpcSetList (char const* whitelistStr, tr_list** list) + { + void * tmp; + const char * walk; + +- /* keep the string */ +- tmp = server->whitelistStr; +- server->whitelistStr = tr_strdup (whitelistStr); +- tr_free (tmp); +- + /* clear out the old whitelist entries */ +- while ((tmp = tr_list_pop_front (&server->whitelist))) ++ while ((tmp = tr_list_pop_front (list)) != NULL) + tr_free (tmp); + + /* build the new whitelist entries */ +@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) + const char * delimiters = " ,;"; + const size_t len = strcspn (walk, delimiters); + char * token = tr_strndup (walk, len); +- tr_list_append (&server->whitelist, token); ++ tr_list_append (list, token); + if (strcspn (token, "+-") < len) + tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'! Are you using an old ACL by mistake?)", token); + else +@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) + } + } + ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ tr_rpcSetList(whitelistStr, &server->hostWhitelist); ++} ++ ++void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ /* keep the string */ ++ char* const tmp = server->whitelistStr; ++ server->whitelistStr = tr_strdup(whitelistStr); ++ tr_free(tmp); ++ ++ tr_rpcSetList(whitelistStr, &server->whitelist); ++} ++ + const char* + tr_rpcGetWhitelist (const tr_rpc_server * server) + { +@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_server * server) + return server->isWhitelistEnabled; + } + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled) ++{ ++ server->isHostWhitelistEnabled = isEnabled; ++} ++ + /**** + ***** PASSWORD + ****/ +@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session * session, tr_variant * settings) + else + tr_rpcSetWhitelistEnabled (s, boolVal); + ++ key = TR_KEY_rpc_host_whitelist_enabled; ++ ++ if (!tr_variantDictFindBool(settings, key, &boolVal)) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelistEnabled(s, boolVal); ++ } ++ ++ key = TR_KEY_rpc_host_whitelist; ++ ++ if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelist(s, str); ++ } ++ + key = TR_KEY_rpc_authentication_required; + if (!tr_variantDictFindBool (settings, key, &boolVal)) + missing_settings_key (key); +diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h +index e0302c5ea..8c9e6b24e 100644 +--- a/libtransmission/rpc-server.h ++++ b/libtransmission/rpc-server.h +@@ -49,6 +49,10 @@ void tr_rpcSetWhitelist (tr_rpc_server * server, + + const char* tr_rpcGetWhitelist (const tr_rpc_server * server); + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled); ++ ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist); ++ + void tr_rpcSetPassword (tr_rpc_server * server, + const char * password); + +diff --git a/libtransmission/session.c b/libtransmission/session.c +index 844cadba8..58b717913 100644 +--- a/libtransmission/session.c ++++ b/libtransmission/session.c +@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant * d) + tr_variantDictAddStr (d, TR_KEY_rpc_username, ""); + tr_variantDictAddStr (d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST); + tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled, true); ++ tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST); ++ tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true); + tr_variantDictAddInt (d, TR_KEY_rpc_port, atoi (TR_DEFAULT_RPC_PORT_STR)); + tr_variantDictAddStr (d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR); + tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled, true); +diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h +index 4f76adfd6..e213a8f4e 100644 +--- a/libtransmission/transmission.h ++++ b/libtransmission/transmission.h +@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (void); + #define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0" + #define TR_DEFAULT_BIND_ADDRESS_IPV6 "::" + #define TR_DEFAULT_RPC_WHITELIST "127.0.0.1" ++#define TR_DEFAULT_RPC_HOST_WHITELIST "" + #define TR_DEFAULT_RPC_PORT_STR "9091" + #define TR_DEFAULT_RPC_URL_STR "/transmission/" + #define TR_DEFAULT_PEER_PORT_STR "51413" +diff --git a/libtransmission/web.c b/libtransmission/web.c +index ee495e9fc..c7f062730 100644 +--- a/libtransmission/web.c ++++ b/libtransmission/web.c +@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code) + case 415: return "Unsupported Media Type"; + case 416: return "Requested Range Not Satisfiable"; + case 417: return "Expectation Failed"; ++ case 421: return "Misdirected Request"; + case 500: return "Internal Server Error"; + case 501: return "Not Implemented"; + case 502: return "Bad Gateway"; -- 2.15.1 From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 11 18:54:47 2018 Received: (at 30082) by debbugs.gnu.org; 11 Jan 2018 23:54:47 +0000 Received: from localhost ([127.0.0.1]:52701 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZmgJ-0001Kp-EM for submit@debbugs.gnu.org; Thu, 11 Jan 2018 18:54:47 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35261) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eZmgF-0001Ke-4k for 30082@debbugs.gnu.org; Thu, 11 Jan 2018 18:54:45 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id BB2A520BCF; Thu, 11 Jan 2018 18:54:42 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Thu, 11 Jan 2018 18:54:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=UjW8Wuq99QJvytN+C4Bdoy1bKDpGNWsGte/vIREKci0=; b=wTVVJ/nd Ch4p8n/V/njAwiNPJETUQq09Cy5ye9Ymzrbd4I/xV5yfx6AEyYIXBo2tzywPx/Lz r/yML+QLseXduKnL86u0gVITBV6q0dPEGfea9FaQFj3MFlDaUcF2Yn+gBL2W6pen GMLvGkpdqx6DatmQyLjozKT2wdGC7YySs9EJxa801vjlN27/g20pl6c4Qq+KXlkJ 8if4xvv+v+NmdLEeq78NXwlOeLmHlFFYD/nUl1syUti4AdyasxmT/KpV9cs70pFX pLF6LF1wJPzFhhrTPdqwoIiEJ+EQ064pY8yYDL/WbFqtuifSEGcO+VLQ1EWCQfik 2qRqoIUfMVqA9A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=UjW8Wuq99QJvytN+C4Bdoy1bKDpGN WsGte/vIREKci0=; b=XS+AQgtAM4i0G+kXU5fIM4lt8gtQM8F7zPX9JW/L0p+Xo 4ALoimLSaZEo+LICb0iHc1GsMjyWZW3ACdq4wDubSi0oZjncjYx/6/YFgun5yd4k mJ4ZjqmhwM9KyfLnW22fZOUw59WTgRdfsp97J6rcIFHrIjFCNmLW96Ir3hAxQKJz gl0fxP5gEqR/SOehzM7NAVznl/BxCc0xKrpG3Dhe59pE6CY+LZv75rovJJT9lS2+ RmM8Vn5nSLNtyl1bwZuQQyFikFi7ja74PwXe/PieiFE7yXDD7rr3/k1HHZdEWEXc 7PFoqMbk/w4G8gr741zwZaAOKvi+OhLCIzI57Y6tw== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 40D0E7E3D7; Thu, 11 Jan 2018 18:54:42 -0500 (EST) From: Marius Bakke To: Leo Famulari , 30082@debbugs.gnu.org Subject: Re: [bug#30082] [v2] gnu: transmission: Fix a DNS rebinding vulnerability that allows RCE. In-Reply-To: <723dcdea4d11c70e1f7731b3abfdca424a930743.1515713957.git.leo@famulari.name> References: <139e227515c0e99297951c92d498e3c01f34ccf4.1515712746.git.leo@famulari.name> <723dcdea4d11c70e1f7731b3abfdca424a930743.1515713957.git.leo@famulari.name> User-Agent: Notmuch/0.26 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Fri, 12 Jan 2018 00:54:31 +0100 Message-ID: <87a7xkeytk.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30082 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/bittorrent.scm (transmission)[source]: Use it. Holy! LGTM, and thanks a lot for this extremely quick fix. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlpX+TcACgkQoqBt8qM6 VPpEkgf/Y6PSMEGm15HDAVe/DZtlw+s9umaxUzD7mJRd4nZiCU1bYM8/B4x/kAY9 s21S3TRc3JaYHUiGARwnl2MR3e4dhD1R/Sor49Wea3dDuTXVh6wkX8TQ0C1nEbRB Do1yMyZWYE5XQyLURyLjR2iRihZ8riTi9ZaDe/t0ZxACibjJUaf2kxWjgqP9U+FM Om5wiIar1TyLF+LYzDwT2IjHe7VcujcbG/NqyeKZqf4UK7n9n/jbbWtY0HHn5Ba8 jAgn8GOe+ZkVnZQGgutNP+SZGfUZXamUOUPE4IXmKiTkibLTtwmZKxIx5yVUlv1T 1pbFy7WZU7GjoPYBgtbjAxmXLf7diQ== =Dey8 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 12 13:15:04 2018 Received: (at 30082-done) by debbugs.gnu.org; 12 Jan 2018 18:15:05 +0000 Received: from localhost ([127.0.0.1]:54094 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3r6-0004tA-Kc for submit@debbugs.gnu.org; Fri, 12 Jan 2018 13:15:04 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:55493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ea3r1-0004qN-Cc for 30082-done@debbugs.gnu.org; Fri, 12 Jan 2018 13:15:01 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 902D220E4D; Fri, 12 Jan 2018 13:14:58 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 12 Jan 2018 13:14:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=+KHF4m5xjOacp6TkRa72uv5uwe4nf1lkMvMUGgStNXo=; b=OJvBd B+bVjV2oTW7xrDX4+RunK3fc2o47TuqOyRpvd8VU7049Ol5j6l5WvdSFndlQYLax Wv+tL59Ao5BPSH9HA/bFMtN9uN+QKvA126vlspbKtiQKNkxXfxwlEil84BdhFFHZ BlMh1Z/4McjJeZJ8CrZyuNpuhjZBptxe+SHC8E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=+KHF4m5xjOacp6TkRa72uv5uwe4nf 1lkMvMUGgStNXo=; b=J/4dIH//12askUoKbMt4u57qCychT75JvqW5h9peDu2cH DFY0l96g1ErtvQE/1prVgGXrPryNo6pWtogp7aHFg1LJoXuCCPw8+CAbooIJtrcU fTv/dQpB+6VGtuN9GuZH4GzWxJTTslQHMABGWQonYXN7+zBHYksW7CYUV/9qbPK5 VVPyZk/C/aZCvWYnvZjc+wtTi7ao1oswMb6tmaJib6GzXH0pKeXhbk/Qt36o/8Ib 7xJbhf10zVLsN/38gm8wZNQ2djz2DgsgNTnohY73AYuXbzFuZ83HixM3MNgjfGpO rttcVQxd7hHUtjUafGdmtmwqt80fB8P9dqyZXg3yQ== X-ME-Sender: Received: from localhost (unknown [162.208.95.194]) by mail.messagingengine.com (Postfix) with ESMTPA id 34A037E3E1; Fri, 12 Jan 2018 13:14:58 -0500 (EST) Date: Fri, 12 Jan 2018 10:14:56 -0800 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#30082] [v2] gnu: transmission: Fix a DNS rebinding vulnerability that allows RCE. Message-ID: <20180112181456.GA1311@jasmine.lan> References: <139e227515c0e99297951c92d498e3c01f34ccf4.1515712746.git.leo@famulari.name> <723dcdea4d11c70e1f7731b3abfdca424a930743.1515713957.git.leo@famulari.name> <87a7xkeytk.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline In-Reply-To: <87a7xkeytk.fsf@fastmail.com> User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30082-done Cc: 30082-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 12, 2018 at 12:54:31AM +0100, Marius Bakke wrote: > Leo Famulari writes: >=20 > > * gnu/packages/patches/transmission-fix-dns-rebinding-vuln.patch: New f= ile. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/bittorrent.scm (transmission)[source]: Use it. >=20 > Holy! LGTM, and thanks a lot for this extremely quick fix. Pushed as 6b433caed2c86bf41acfa65dd507292e8a0ab2ac --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpY+yAACgkQJkb6MLrK fwgTJxAA2UHw7MEc9YMGGztpHs1kikIbTYqvjKrsvfJDzqQyBesJydHdvTLI0azS 6vdUOjAOJ6ze11kREUS1NwA6vV3ptNPShG+sNnRrb0YShfW/Quv0qig7Jl+I11cc ydjU+l6IIJG/5ngqNZqS1UL9Qhd4zfRaMthRmToSNx8wt+Jc+7YKVDCltehpacbR eJGZDMrB4bQAq2v1i6mmpX0p22fQ8RemF6FAGkVU87o7iIyVxyLg/UlCdO7ioKwI JSMPCGcwDLYKEtK/8kfVjqujQdwL/SmN7qKYHe66bOAD8aVWpdeeC5MmKCK7DWM3 YkghBBQjRqXlN+FxNNJilBLd7rQ3di7VeCL4g38Xem3lFQJGkUZEg+Ac000qd1Ot Mg2H5WoFhf7CmALJuJ83cFkPSTCIsJPY632Tf4sLE8sEmNYqZ4w55LJcnYFYDjb4 spLk7GdboM3sqH4+r9+WDIrB39WQBgfoxH95aKD1CkIQpOfbkkPrOy0Rs6210wVq p8yRftTfMfSh3ipKRcPIpDgoRxhzKFF8biJELawUOFZ70ByLcCbFC0eZ3b64exY1 m17nL5XX3HYY30c/KYXsk+EwjgA/37cHYO8t4P8vS7ZB4w89U9mWlFjtCIP/PW6K 1BtJf2zeKgQUzJ2HaFs4p3nGjrwMV6eFs0yyhquMyuhuMsqybZ0= =XWXz -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From unknown Tue Jun 17 22:29:47 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 10 Feb 2018 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator