LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: KTorrent vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that KTorrent did not properly restrict access when using the web interface plugin. A remote attacker could use a crafted http request and upload arbitrary torrent files to trigger the start of downloads and seeding. (CVE-2008-5905) It was discovered that KTorrent did not properly handle certain parameters when using the web interface plugin. A remote attacker could use crafted http requests to execute arbitrary PHP code. (CVE-2008-5906)
===========================================================
Ubuntu Security Notice USN-711-1           January 26, 2009
ktorrent vulnerabilities
CVE-2008-5905, CVE-2008-5906
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  ktorrent                        2.2.1-0ubuntu3.1

Ubuntu 8.04 LTS:
  ktorrent                        2.2.5-0ubuntu1.1

Ubuntu 8.10:
  ktorrent                        3.1.2+dfsg.1-0ubuntu2.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

It was discovered that KTorrent did not properly restrict access when using the
web interface plugin. A remote attacker could use a crafted http request and
upload arbitrary torrent files to trigger the start of downloads and seeding.
(CVE-2008-5905)

It was discovered that KTorrent did not properly handle certain parameters when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.diff.gz
      Size/MD5:     8139 542d145b17f4c93e90358305f5082892
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1.dsc
      Size/MD5:      679 5d731774f0370fa9347ff1d4a9fe59b3
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1.orig.tar.gz
      Size/MD5:  3763678 229a0615d9252510d9387079dd5bd86d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_amd64.deb
      Size/MD5:  2809826 64590eb7d61058feffe16b0c05c462de

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_i386.deb
      Size/MD5:  2764082 0e1d642f8f86576da7aadb1ba5915993

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_lpia.deb
      Size/MD5:  2769980 979fbc6391793dd1b976b555614b8125

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_powerpc.deb
      Size/MD5:  2912698 5c0baa03be10092f5f9dae0ec33cf050

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.1-0ubuntu3.1_sparc.deb
      Size/MD5:  2764418 71d8cf3eb924098584948847752a69e7

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.diff.gz
      Size/MD5:     8186 887b90cfe0b14d6e654edf5f83d443a1
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1.dsc
      Size/MD5:      679 1cf90260c7bb419ba83f280e0c242c1e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5.orig.tar.gz
      Size/MD5:  3841204 f5cd0430250317eff85d8356d65c0a6f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_amd64.deb
      Size/MD5:  2812314 a60c001b92052ac0d269c894f4bafa7c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_i386.deb
      Size/MD5:  2749174 361a62003fe4029dd48b007f05a18848

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_lpia.deb
      Size/MD5:  2762832 e458e9a11bf9d2db72c8af4d89936241

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_powerpc.deb
      Size/MD5:  2894978 935494d19c317011e02041b204d042a5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_2.2.5-0ubuntu1.1_sparc.deb
      Size/MD5:  2744550 5a1f3871c1a972155efcc1a77cac2788

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.diff.gz
      Size/MD5:    28491 2dfc78827267f8a0316f7b871a3c5795
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1.dsc
      Size/MD5:     1616 9daa934ea811f90d15aafcb96bcb8b3e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1.orig.tar.gz
      Size/MD5:  3243464 d7ec6f8f7a77f9a460c99f9ba1d95cec

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5: 10574990 4039eb82f82e92c60212a4639842fb8e
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_amd64.deb
      Size/MD5:  1876310 7d183d5f936776da921a26eb07852cf9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5: 10462534 b2a3142f8a5a73fac78af5651cb31a68
    http://security.ubuntu.com/ubuntu/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_i386.deb
      Size/MD5:  1872266 7f2002e96efccf24fd12178a0ac2af91

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5: 10485854 5b8f4fda1bb0b2e797a2b6d59bbe0f1a
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_lpia.deb
      Size/MD5:  1891462 4b37c0d9502c46aa5f55e7cccd35c7b5

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5: 11060316 fd33f09a63abe5485884da105fd5de91
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_powerpc.deb
      Size/MD5:  1947996 561ba5edef371c84a165d61a88df0b80

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent-dbg_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5: 10583140 b2957586c0802312c7e837336b2dfc10
    http://ports.ubuntu.com/pool/main/k/ktorrent/ktorrent_3.1.2+dfsg.1-0ubuntu2.1_sparc.deb
      Size/MD5:  1873550 2d38e242cfa474fb4c335a1ae2475482



--=-aTXlzfUR+t95VsDZnaL6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkl+H9oACgkQLMAs/0C4zNrskgCghLISn54Lf3blialkMRjeMuu6
2A0AoJtB/YrPe9zMvzUHiE4x6ag/snQ9
=/7SX
-----END PGP SIGNATURE-----

--=-aTXlzfUR+t95VsDZnaL6--



--==============	32642204264160306=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============	32642204264160306==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.