pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net transmission*: Fix security issue



details:   https://anonhg.NetBSD.org/pkgsrc/rev/2dd9e8b0a72b
branches:  trunk
changeset: 374096:2dd9e8b0a72b
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Tue Jan 16 09:37:00 2018 +0000

description:
transmission*: Fix security issue

Fix a weakness that allows remote code execution via the Transmission
RPC server using DNS rebinding:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1447

Patch adapted from Tavis Ormandy's patch on the Transmission master
branch to the Transmission 2.92 release by Leo Famulari
<leo%famulari.name@localhost>:

https://github.com/transmission/transmission/pull/468/commits

Via FreeBSD ports.

Bump PKGREVISION.

diffstat:

 net/transmission-gtk/Makefile                                 |    4 +-
 net/transmission-qt/Makefile                                  |    4 +-
 net/transmission/Makefile                                     |    4 +-
 net/transmission/distinfo                                     |    9 +-
 net/transmission/patches/patch-libtransmission_quark.c        |   39 +
 net/transmission/patches/patch-libtransmission_quark.h        |   39 +
 net/transmission/patches/patch-libtransmission_rpc-server.c   |  224 ++++++++++
 net/transmission/patches/patch-libtransmission_rpc-server.h   |   41 +
 net/transmission/patches/patch-libtransmission_session.c      |   39 +
 net/transmission/patches/patch-libtransmission_transmission.h |   38 +
 net/transmission/patches/patch-libtransmission_web.c          |   38 +
 11 files changed, 472 insertions(+), 7 deletions(-)

diffs (truncated from 550 to 300 lines):

diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission-gtk/Makefile
--- a/net/transmission-gtk/Makefile     Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission-gtk/Makefile     Tue Jan 16 09:37:00 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.25 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.26 2018/01/16 09:37:00 wiz Exp $
 
 PKGNAME=       transmission-gtk-${VERSION}
-PKGREVISION=   9
+PKGREVISION=   10
 
 USE_LANGUAGES=         c c++
 INSTALL_ENV+=          INSTALL_ROOT=${DESTDIR}${PREFIX}
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission-qt/Makefile
--- a/net/transmission-qt/Makefile      Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission-qt/Makefile      Tue Jan 16 09:37:00 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.29 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.30 2018/01/16 09:37:00 wiz Exp $
 
 PKGNAME=       transmission-qt-${VERSION}
-PKGREVISION=   12
+PKGREVISION=   13
 
 USE_LANGUAGES=         c c++
 MAKE_ENV+=             QTDIR=${QTDIR}
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/Makefile
--- a/net/transmission/Makefile Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission/Makefile Tue Jan 16 09:37:00 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.12 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.13 2018/01/16 09:37:00 wiz Exp $
 
 CONFLICTS+=    Transmission-[0-9]*
 
@@ -8,6 +8,6 @@
 CONFIGURE_ARGS+=       --disable-mac
 CONFIGURE_ARGS+=       --without-gtk
 
-PKGREVISION= 5
+PKGREVISION= 6
 .include "../../net/transmission/Makefile.common"
 .include "../../mk/bsd.pkg.mk"
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/distinfo
--- a/net/transmission/distinfo Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission/distinfo Tue Jan 16 09:37:00 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.12 2017/07/13 13:38:59 wiz Exp $
+$NetBSD: distinfo,v 1.13 2018/01/16 09:37:00 wiz Exp $
 
 SHA1 (transmission-2.92.tar.xz) = 2140feba45c4471392033d21b86b6f3ef780d88e
 RMD160 (transmission-2.92.tar.xz) = 6da78ce333fa2ea69aa4954c3b052a818ce7c93e
@@ -6,4 +6,11 @@
 Size (transmission-2.92.tar.xz) = 3378116 bytes
 SHA1 (patch-ab) = 796faa7c61762dc3ffe563748e55160c827149d2
 SHA1 (patch-libtransmission_platform-quota.c) = 2d9758d24c4329021e0774ac9f8bb3dd94592965
+SHA1 (patch-libtransmission_quark.c) = 70b8d8d3de0ae480433464a1dbee4488af3b64d9
+SHA1 (patch-libtransmission_quark.h) = 5c4b0a24e2e142a3504c232b333fa7665fe8178f
+SHA1 (patch-libtransmission_rpc-server.c) = 38aba449da55ae7f7c492b377d3ef6f5f54cc360
+SHA1 (patch-libtransmission_rpc-server.h) = b47127d42aaf1315719531f7af0c9f6a6dd14f6f
+SHA1 (patch-libtransmission_session.c) = 29c159b6297eed2da9da51ec9ce254a871ce21c1
+SHA1 (patch-libtransmission_transmission.h) = 349c63f0ec98fe632aff32c71cdb3918d7e08a19
+SHA1 (patch-libtransmission_web.c) = 8483cbe1155ac07d82c6733ceda48274d157b207
 SHA1 (patch-qt_qtr.pro) = 982c76669f41f154470a91b4b7c9cb5dcc41132c
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_quark.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_quark.c    Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-libtransmission_quark.c,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c        |   2 +
+ libtransmission/quark.h        |   2 +
+ libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h   |   4 ++
+ libtransmission/session.c      |   2 +
+ libtransmission/transmission.h |   1 +
+ libtransmission/web.c          |   3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/quark.c.orig       2016-01-09 18:02:58.738698801 +0000
++++ libtransmission/quark.c
+@@ -289,6 +289,8 @@ static const struct tr_key_struct my_sta
+   { "rpc-authentication-required", 27 },
+   { "rpc-bind-address", 16 },
+   { "rpc-enabled", 11 },
++  { "rpc-host-whitelist", 18 },
++  { "rpc-host-whitelist-enabled", 26 },
+   { "rpc-password", 12 },
+   { "rpc-port", 8 },
+   { "rpc-url", 7 },
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_quark.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_quark.h    Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-libtransmission_quark.h,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c        |   2 +
+ libtransmission/quark.h        |   2 +
+ libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h   |   4 ++
+ libtransmission/session.c      |   2 +
+ libtransmission/transmission.h |   1 +
+ libtransmission/web.c          |   3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/quark.h.orig       2015-06-28 19:23:49.613528096 +0000
++++ libtransmission/quark.h
+@@ -291,6 +291,8 @@ enum
+   TR_KEY_rpc_authentication_required,
+   TR_KEY_rpc_bind_address,
+   TR_KEY_rpc_enabled,
++  TR_KEY_rpc_host_whitelist,
++  TR_KEY_rpc_host_whitelist_enabled,
+   TR_KEY_rpc_password,
+   TR_KEY_rpc_port,
+   TR_KEY_rpc_url,
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_rpc-server.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_rpc-server.c       Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,224 @@
+$NetBSD: patch-libtransmission_rpc-server.c,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c        |   2 +
+ libtransmission/quark.h        |   2 +
+ libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h   |   4 ++
+ libtransmission/session.c      |   2 +
+ libtransmission/transmission.h |   1 +
+ libtransmission/web.c          |   3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/rpc-server.c.orig  2016-01-09 18:02:58.740698836 +0000
++++ libtransmission/rpc-server.c
+@@ -52,6 +52,7 @@ struct tr_rpc_server
+     bool               isEnabled;
+     bool               isPasswordEnabled;
+     bool               isWhitelistEnabled;
++    bool               isHostWhitelistEnabled;
+     tr_port            port;
+     char             * url;
+     struct in_addr     bindAddress;
+@@ -63,6 +64,7 @@ struct tr_rpc_server
+     char             * password;
+     char             * whitelistStr;
+     tr_list          * whitelist;
++    tr_list          * hostWhitelist;
+ 
+     char             * sessionId;
+     time_t             sessionIdExpiresAt;
+@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * 
+   return false;
+ }
+ 
++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)
++{
++    /* If password auth is enabled, any hostname is permitted. */
++    if (server->isPasswordEnabled)
++    {
++        return true;
++    }
++
++    char const* const host = evhttp_find_header(req->input_headers, "Host");
++
++    // If whitelist is disabled, no restrictions.
++    if (!server->isHostWhitelistEnabled)
++        return true;
++
++    /* No host header, invalid request. */
++    if (host == NULL)
++    {
++        return false;
++    }
++
++    /* Host header might include the port. */
++    char* const hostname = tr_strndup(host, strcspn(host, ":"));
++
++    /* localhost or ipaddress is always acceptable. */
++    if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))
++    {
++        tr_free(hostname);
++        return true;
++    }
++
++    /* Otherwise, hostname must be whitelisted. */
++    for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {
++        if (tr_wildmat(hostname, l->data))
++        {
++            tr_free(hostname);
++            return true;
++        }
++    }
++
++    tr_free(hostname);
++    return false;
++}
++
+ static bool
+ test_session_id (struct tr_rpc_server * server, struct evhttp_request * req)
+ {
+@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * 
+           handle_upload (req, server);
+         }
+ #ifdef REQUIRE_SESSION_ID
++        else if (!isHostnameAllowed(server, req))
++        {
++            char* tmp = tr_strdup_printf(
++                "<p>Transmission received your request, but the hostname was unrecognized.</p>"
++                "<p>To fix this, choose one of the following options:"
++                "<ul>"
++                "<li>Enable password authentication, then any hostname is allowed.</li>"
++                "<li>Add the hostname you want to use to the whitelist in settings.</li>"
++                "</ul></p>"
++                "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>"
++                "<p>This requirement has been added to help prevent "
++                "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\";>DNS Rebinding</a> "
++                "attacks.</p>");
++            send_simple_response(req, 421, tmp);
++            tr_free(tmp);
++        }
++
+       else if (!test_session_id (server, req))
+         {
+           const char * sessionId = get_current_session_id (server);
+@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * 
+             "<li> When you get this 409 error message, resend your request with the updated header"
+             "</ol></p>"
+             "<p>This requirement has been added to help prevent "
+-            "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\";>CSRF</a> "
++            "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\";>CSRF</a> "
+             "attacks.</p>"
+             "<p><code>%s: %s</code></p>",
+             TR_RPC_SESSION_ID_HEADER, sessionId);
+@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * serv
+   return server->url ? server->url : "";
+ }
+ 
+-void
+-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
++static void
++tr_rpcSetList (char const* whitelistStr, tr_list** list)
+ {
+   void * tmp;
+   const char * walk;
+ 
+-  /* keep the string */
+-  tmp = server->whitelistStr;
+-  server->whitelistStr = tr_strdup (whitelistStr);
+-  tr_free (tmp);
+-



Home | Main Index | Thread Index | Old Index