DSA-1967-1 transmission -- directory traversal

oldhoghead · posted: 2010-01-16 12:30

Just a heads up on this:

Date Reported:
07 Jan 2010
Affected Packages:
transmission
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2010-0012.
More information:

Dan Rosenberg discovered that Transmission, a lightwight client for the Bittorrent filesharing protocol, performs insufficient sanitising of file names specified in .torrent files. This could lead to the overwrite of local files with the privileges of the user running Transmission if the user is tricked into opening a malicious torrent file.

For the stable distribution (lenny), this problem has been fixed in version 1.22-1+lenny2.

For the unstable distribution (sid), this problem has been fixed in version 1.77-1.

We recommend that you upgrade your transmission packages.

cheers,
oldhoghead

plvera · posted: 2010-01-16 19:48

Oldhoghead:
Thanks for the information. I had been running the standard mix of stable and testing repos, however, I closed off all testing repos. So, how do I force the installation of the stable version? Currently, I'm running Transmission 1.76 which I guess does not contain the fix.

thanks.
Pedro

anticapitalista · posted: 2010-01-16 20:25

Better to get the one from Unstable.
Just enable unstable repo for
apt-get update
apt-get install transmission

And, if all is well, comment back out the unstable repo.

plvera · posted: 2010-01-16 21:01

Thanks, Anti. It seems to have worked.
Pedro