发布日期:2010-01-04
更新日期:2010-01-19
受影响系统:
Transmission Project Transmission 1.76
Transmission Project Transmission 1.75
Transmission Project Transmission 1.34
Transmission Project Transmission 1.22
不受影响系统:
Transmission Project Transmission 1.77
描述:BUGTRAQ ID: 37659
CVE ID: CVE-2010-0012
Transmission是一个免费的BT下载客户端。
Transmission的libtransmission/metainfo.c文件中存在目录遍历漏洞,用户受骗打开了设置有目录遍历序列路径名的.torrent文件就会导致覆盖任意系统文件。
<*来源:Dan Rosenberg
链接:http://secunia.com/advisories/38005/
https://bugs.launchpad.net/ubuntu/+source/transmission/+bug/500625
http://www.debian.org/security/2010/dsa-1967
*>
建议:厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1967-1)以及相应补丁:
DSA-1967-1:New transmission packages fix directory traversal
链接:http://www.debian.org/security/2010/dsa-1967
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.diff.gz
Size/MD5 checksum: 11339 ab8089177ea598bae94487142efb7c32
http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22.orig.tar.gz
Size/MD5 checksum: 4931481 fcb56a527db138cfbe83e9cf7ed16179
http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.dsc
Size/MD5 checksum: 1481 9202a190563dc229b3297d9748692e66
Architecture independent packages:
http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2_all.deb
Size/MD5 checksum: 860 a61eae34864fe101ed5c2ec8a3511411
http://security.debian.org/pool/updates/main/t/transmission/transmission-common_1.22-1+lenny2_all.deb
Size/MD5 checksum: 14854 7da6a8e90ea5ece48503cc2b6d5324b8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_alpha.deb
Size/MD5 checksum: 635620 03d3801c2313261d2f578c0a3b06db1a
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_alpha.deb
Size/MD5 checksum: 493178 10bfd690bf97902a1ce556ff568c9161
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_amd64.deb
Size/MD5 checksum: 526544 60fdd255828b74bfc5bf88e469924c7e
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_amd64.deb
Size/MD5 checksum: 448664 da7f9bcffbb9f628b604d1f8421348cf
arm architecture (ARM)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_arm.deb
Size/MD5 checksum: 489984 1d3a15a43977376100420f4ebab67b13
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_arm.deb
Size/MD5 checksum: 424216 243ef4d6906701651cf12bf79fe2e682
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_armel.deb
Size/MD5 checksum: 494624 87b5b59f5333471975ba277c37c30409
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_armel.deb
Size/MD5 checksum: 423284 a2470ec71ae32eb102bdb32d4043b40a
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_hppa.deb
Size/MD5 checksum: 585786 eb020bdf5c04a602bac0c5d4a96f1712
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_hppa.deb
Size/MD5 checksum: 472772 061acf64ccd9332c01e8d4b56fc719b4
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_i386.deb
Size/MD5 checksum: 480444 7d894d2e5dce801403fb1fb0385e9dce
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_i386.deb
Size/MD5 checksum: 430638 09debafd690dd13fcf9b00d88e683667
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_ia64.deb
Size/MD5 checksum: 873890 d09cdaa9330d8fd5935b483142cff1bf
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_ia64.deb
Size/MD5 checksum: 598356 47d67a8a3cb1eaf311f315e02c94787f
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_mipsel.deb
Size/MD5 checksum: 602890 6f77c487b8cf7f246afe29997bf49768
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_mipsel.deb
Size/MD5 checksum: 459878 9a20d17dde7469a1692bed53c69df681
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_powerpc.deb
Size/MD5 checksum: 474194 3f884a72b8dae2c55b34b0718152c7ac
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_powerpc.deb
Size/MD5 checksum: 579190 b9f6ad93935c1d9fc8b8a518b772eb9a
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_s390.deb
Size/MD5 checksum: 551442 760fb4b9f138aad71d77b0ca67c26e78
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_s390.deb
Size/MD5 checksum: 465012 cd3ce00407b78d8e239f63a3598e3462
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/t/transmission/transmission-gtk_1.22-1+lenny2_sparc.deb
Size/MD5 checksum: 430260 c67e263523811a0af5f059da732b6775
http://security.debian.org/pool/updates/main/t/transmission/transmission-cli_1.22-1+lenny2_sparc.deb
Size/MD5 checksum: 465490 8b181731bfa4e815f63880f5a8195f68
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Transmission Project
--------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://trac.transmissionbt.com/wiki/Changes#version-1.77
