pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net transmission*: Fix security issue
details: https://anonhg.NetBSD.org/pkgsrc/rev/2dd9e8b0a72b
branches: trunk
changeset: 374096:2dd9e8b0a72b
user: wiz <wiz%pkgsrc.org@localhost>
date: Tue Jan 16 09:37:00 2018 +0000
description:
transmission*: Fix security issue
Fix a weakness that allows remote code execution via the Transmission
RPC server using DNS rebinding:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
Patch adapted from Tavis Ormandy's patch on the Transmission master
branch to the Transmission 2.92 release by Leo Famulari
<leo%famulari.name@localhost>:
https://github.com/transmission/transmission/pull/468/commits
Via FreeBSD ports.
Bump PKGREVISION.
diffstat:
net/transmission-gtk/Makefile | 4 +-
net/transmission-qt/Makefile | 4 +-
net/transmission/Makefile | 4 +-
net/transmission/distinfo | 9 +-
net/transmission/patches/patch-libtransmission_quark.c | 39 +
net/transmission/patches/patch-libtransmission_quark.h | 39 +
net/transmission/patches/patch-libtransmission_rpc-server.c | 224 ++++++++++
net/transmission/patches/patch-libtransmission_rpc-server.h | 41 +
net/transmission/patches/patch-libtransmission_session.c | 39 +
net/transmission/patches/patch-libtransmission_transmission.h | 38 +
net/transmission/patches/patch-libtransmission_web.c | 38 +
11 files changed, 472 insertions(+), 7 deletions(-)
diffs (truncated from 550 to 300 lines):
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission-gtk/Makefile
--- a/net/transmission-gtk/Makefile Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission-gtk/Makefile Tue Jan 16 09:37:00 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.25 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.26 2018/01/16 09:37:00 wiz Exp $
PKGNAME= transmission-gtk-${VERSION}
-PKGREVISION= 9
+PKGREVISION= 10
USE_LANGUAGES= c c++
INSTALL_ENV+= INSTALL_ROOT=${DESTDIR}${PREFIX}
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission-qt/Makefile
--- a/net/transmission-qt/Makefile Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission-qt/Makefile Tue Jan 16 09:37:00 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.29 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.30 2018/01/16 09:37:00 wiz Exp $
PKGNAME= transmission-qt-${VERSION}
-PKGREVISION= 12
+PKGREVISION= 13
USE_LANGUAGES= c c++
MAKE_ENV+= QTDIR=${QTDIR}
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/Makefile
--- a/net/transmission/Makefile Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission/Makefile Tue Jan 16 09:37:00 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.12 2018/01/01 21:18:49 adam Exp $
+# $NetBSD: Makefile,v 1.13 2018/01/16 09:37:00 wiz Exp $
CONFLICTS+= Transmission-[0-9]*
@@ -8,6 +8,6 @@
CONFIGURE_ARGS+= --disable-mac
CONFIGURE_ARGS+= --without-gtk
-PKGREVISION= 5
+PKGREVISION= 6
.include "../../net/transmission/Makefile.common"
.include "../../mk/bsd.pkg.mk"
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/distinfo
--- a/net/transmission/distinfo Tue Jan 16 09:34:40 2018 +0000
+++ b/net/transmission/distinfo Tue Jan 16 09:37:00 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.12 2017/07/13 13:38:59 wiz Exp $
+$NetBSD: distinfo,v 1.13 2018/01/16 09:37:00 wiz Exp $
SHA1 (transmission-2.92.tar.xz) = 2140feba45c4471392033d21b86b6f3ef780d88e
RMD160 (transmission-2.92.tar.xz) = 6da78ce333fa2ea69aa4954c3b052a818ce7c93e
@@ -6,4 +6,11 @@
Size (transmission-2.92.tar.xz) = 3378116 bytes
SHA1 (patch-ab) = 796faa7c61762dc3ffe563748e55160c827149d2
SHA1 (patch-libtransmission_platform-quota.c) = 2d9758d24c4329021e0774ac9f8bb3dd94592965
+SHA1 (patch-libtransmission_quark.c) = 70b8d8d3de0ae480433464a1dbee4488af3b64d9
+SHA1 (patch-libtransmission_quark.h) = 5c4b0a24e2e142a3504c232b333fa7665fe8178f
+SHA1 (patch-libtransmission_rpc-server.c) = 38aba449da55ae7f7c492b377d3ef6f5f54cc360
+SHA1 (patch-libtransmission_rpc-server.h) = b47127d42aaf1315719531f7af0c9f6a6dd14f6f
+SHA1 (patch-libtransmission_session.c) = 29c159b6297eed2da9da51ec9ce254a871ce21c1
+SHA1 (patch-libtransmission_transmission.h) = 349c63f0ec98fe632aff32c71cdb3918d7e08a19
+SHA1 (patch-libtransmission_web.c) = 8483cbe1155ac07d82c6733ceda48274d157b207
SHA1 (patch-qt_qtr.pro) = 982c76669f41f154470a91b4b7c9cb5dcc41132c
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_quark.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_quark.c Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-libtransmission_quark.c,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c | 2 +
+ libtransmission/quark.h | 2 +
+ libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h | 4 ++
+ libtransmission/session.c | 2 +
+ libtransmission/transmission.h | 1 +
+ libtransmission/web.c | 3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/quark.c.orig 2016-01-09 18:02:58.738698801 +0000
++++ libtransmission/quark.c
+@@ -289,6 +289,8 @@ static const struct tr_key_struct my_sta
+ { "rpc-authentication-required", 27 },
+ { "rpc-bind-address", 16 },
+ { "rpc-enabled", 11 },
++ { "rpc-host-whitelist", 18 },
++ { "rpc-host-whitelist-enabled", 26 },
+ { "rpc-password", 12 },
+ { "rpc-port", 8 },
+ { "rpc-url", 7 },
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_quark.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_quark.h Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-libtransmission_quark.h,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c | 2 +
+ libtransmission/quark.h | 2 +
+ libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h | 4 ++
+ libtransmission/session.c | 2 +
+ libtransmission/transmission.h | 1 +
+ libtransmission/web.c | 3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/quark.h.orig 2015-06-28 19:23:49.613528096 +0000
++++ libtransmission/quark.h
+@@ -291,6 +291,8 @@ enum
+ TR_KEY_rpc_authentication_required,
+ TR_KEY_rpc_bind_address,
+ TR_KEY_rpc_enabled,
++ TR_KEY_rpc_host_whitelist,
++ TR_KEY_rpc_host_whitelist_enabled,
+ TR_KEY_rpc_password,
+ TR_KEY_rpc_port,
+ TR_KEY_rpc_url,
diff -r 0d2601599b08 -r 2dd9e8b0a72b net/transmission/patches/patch-libtransmission_rpc-server.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/transmission/patches/patch-libtransmission_rpc-server.c Tue Jan 16 09:37:00 2018 +0000
@@ -0,0 +1,224 @@
+$NetBSD: patch-libtransmission_rpc-server.c,v 1.1 2018/01/16 09:37:00 wiz Exp $
+
+Fix a weakness that allows remote code execution via the Transmission
+RPC server using DNS rebinding:
+
+https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
+
+Patch adapted from Tavis Ormandy's patch on the Transmission master
+branch to the Transmission 2.92 release by Leo Famulari
+<leo%famulari.name@localhost>:
+
+https://github.com/transmission/transmission/pull/468/commits
+
+From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001
+From: Tavis Ormandy <taviso%google.com@localhost>
+Date: Thu, 11 Jan 2018 10:00:41 -0800
+Subject: [PATCH] mitigate dns rebinding attacks against daemon
+
+---
+ libtransmission/quark.c | 2 +
+ libtransmission/quark.h | 2 +
+ libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++----
+ libtransmission/rpc-server.h | 4 ++
+ libtransmission/session.c | 2 +
+ libtransmission/transmission.h | 1 +
+ libtransmission/web.c | 3 ++
+ 7 files changed, 121 insertions(+), 9 deletions(-)
+
+--- libtransmission/rpc-server.c.orig 2016-01-09 18:02:58.740698836 +0000
++++ libtransmission/rpc-server.c
+@@ -52,6 +52,7 @@ struct tr_rpc_server
+ bool isEnabled;
+ bool isPasswordEnabled;
+ bool isWhitelistEnabled;
++ bool isHostWhitelistEnabled;
+ tr_port port;
+ char * url;
+ struct in_addr bindAddress;
+@@ -63,6 +64,7 @@ struct tr_rpc_server
+ char * password;
+ char * whitelistStr;
+ tr_list * whitelist;
++ tr_list * hostWhitelist;
+
+ char * sessionId;
+ time_t sessionIdExpiresAt;
+@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server *
+ return false;
+ }
+
++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)
++{
++ /* If password auth is enabled, any hostname is permitted. */
++ if (server->isPasswordEnabled)
++ {
++ return true;
++ }
++
++ char const* const host = evhttp_find_header(req->input_headers, "Host");
++
++ // If whitelist is disabled, no restrictions.
++ if (!server->isHostWhitelistEnabled)
++ return true;
++
++ /* No host header, invalid request. */
++ if (host == NULL)
++ {
++ return false;
++ }
++
++ /* Host header might include the port. */
++ char* const hostname = tr_strndup(host, strcspn(host, ":"));
++
++ /* localhost or ipaddress is always acceptable. */
++ if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))
++ {
++ tr_free(hostname);
++ return true;
++ }
++
++ /* Otherwise, hostname must be whitelisted. */
++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {
++ if (tr_wildmat(hostname, l->data))
++ {
++ tr_free(hostname);
++ return true;
++ }
++ }
++
++ tr_free(hostname);
++ return false;
++}
++
+ static bool
+ test_session_id (struct tr_rpc_server * server, struct evhttp_request * req)
+ {
+@@ -663,6 +708,23 @@ handle_request (struct evhttp_request *
+ handle_upload (req, server);
+ }
+ #ifdef REQUIRE_SESSION_ID
++ else if (!isHostnameAllowed(server, req))
++ {
++ char* tmp = tr_strdup_printf(
++ "<p>Transmission received your request, but the hostname was unrecognized.</p>"
++ "<p>To fix this, choose one of the following options:"
++ "<ul>"
++ "<li>Enable password authentication, then any hostname is allowed.</li>"
++ "<li>Add the hostname you want to use to the whitelist in settings.</li>"
++ "</ul></p>"
++ "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>"
++ "<p>This requirement has been added to help prevent "
++ "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> "
++ "attacks.</p>");
++ send_simple_response(req, 421, tmp);
++ tr_free(tmp);
++ }
++
+ else if (!test_session_id (server, req))
+ {
+ const char * sessionId = get_current_session_id (server);
+@@ -674,7 +736,7 @@ handle_request (struct evhttp_request *
+ "<li> When you get this 409 error message, resend your request with the updated header"
+ "</ol></p>"
+ "<p>This requirement has been added to help prevent "
+- "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
++ "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> "
+ "attacks.</p>"
+ "<p><code>%s: %s</code></p>",
+ TR_RPC_SESSION_ID_HEADER, sessionId);
+@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * serv
+ return server->url ? server->url : "";
+ }
+
+-void
+-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)
++static void
++tr_rpcSetList (char const* whitelistStr, tr_list** list)
+ {
+ void * tmp;
+ const char * walk;
+
+- /* keep the string */
+- tmp = server->whitelistStr;
+- server->whitelistStr = tr_strdup (whitelistStr);
+- tr_free (tmp);
+-
Home |
Main Index |
Thread Index |
Old Index