漏洞信息详情
Transmission 'metainfo.c'目录遍历漏洞
- CNNVD编号:CNNVD-201001-053
- 危害等级: 中危
- CVE编号: CVE-2010-0012
- 漏洞类型: 路径遍历
- 发布时间: 2010-01-08
- 威胁类型: 远程
- 更新时间: 2010-01-11
- 厂 商: transmissionbt
- 漏洞来源: Dan Rosenberg
漏洞简介
Transmission 1.22,1.34,1.75和1.76版本的libtransmission/metainfo.c文件中存在目录遍历漏洞。远程攻击者可以借助.torrent文件内的路径名中的..,重写任意文件。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: Ubuntu Ubuntu Linux 9.10 sparc Ubuntu transmission-cli_1.75-0ubuntu2.2_sparc.deb http://ports.ubuntu.com/pool/universe/t/transmission/transmission-cli_ 1.75-0ubuntu2.2_sparc.deb Ubuntu transmission-common_1.75-0ubuntu2.2_all.deb http://security.ubuntu.com/ubuntu/pool/main/t/transmission/transmissio n-common_1.75-0ubuntu2.2_all.deb Ubuntu transmission-daemon_1.75-0ubuntu2.2_sparc.deb http://ports.ubuntu.com/pool/universe/t/transmission/transmission-daem on_1.75-0ubuntu2.2_sparc.deb Ubuntu transmission-gtk_1.75-0ubuntu2.2_sparc.deb http://ports.ubuntu.com/pool/main/t/transmission/transmission-gtk_1.75 -0ubuntu2.2_sparc.deb Ubuntu transmission-qt_1.75-0ubuntu2.2_sparc.deb http://ports.ubuntu.com/pool/universe/t/transmission/transmission-qt_1 .75-0ubuntu2.2_sparc.deb Ubuntu transmission_1.75-0ubuntu2.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/t/transmission/transmi ssion_1.75-0ubuntu2.2_all.deb Debian Linux 5.0 ia-64 Debian transmission-cli_1.22-1+lenny2_ia64.deb http://security.debian.org/pool/updates/main/t/transmission/transmissi on-cli_1.22-1+lenny2_ia64.deb Debian transmission-common_1.22-1+lenny2_all.deb http://security.debian.org/pool/updates/main/t/transmission/transmissi on-common_1.22-1+lenny2_all.deb Debian transmission-gtk_1.22-1+lenny2_ia64.deb http://security.debian.org/pool/updates/main/t/transmission/transmissi on-gtk_1.22-1+lenny2_ia64.deb Debian transmission_1.22-1+lenny2_all.deb http://security.debian.org/pool/updates/main/t/transmission/transmissi on_1.22-1+lenny2_all.deb MandrakeSoft Linux Mandrake 2009.1 x86_64 Mandriva transmission-1.51-1.1mdv2009.1.x86_64.rpm http://www.mandriva.com/en/download/
参考网址
来源: launchpad.net 链接:https://launchpad.net/bugs/500625 来源: MLIST 名称: [oss-security] 20100106 Re: CVE Request: Transmission 链接:http://www.openwall.com/lists/oss-security/2010/01/06/4 来源: MLIST 名称: [oss-security] 20100106 CVE Request: Transmission 链接:http://www.openwall.com/lists/oss-security/2010/01/06/2 来源: MLIST 名称: [debian-devel-changes] 20100105 Accepted transmission 1.77-1 (source all amd64) 链接:http://www.mail-archive.com/[email protected]/msg264483.HTML 来源: DEBIAN 名称: DSA-1967 链接:http://www.debian.org/security/2010/dsa-1967 来源: trac.transmissionbt.com 链接:http://trac.transmissionbt.com/wiki/Changes#version-1.77 来源: trac.transmissionbt.com 链接:http://trac.transmissionbt.com/changeset/9829/ 来源: security.debian.org 链接:http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.diff.gz 来源: SUSE 名称: SUSE-SA:2010:008 链接:http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.HTML 来源:NSFOCUS 名称:14366 链接:http://www.nsfocus.net/vulndb/14366
受影响实体
- Transmissionbt Transmission:1.76
- Transmissionbt Transmission:1.75
- Transmissionbt Transmission:1.34
- Transmissionbt Transmission:1.22
补丁
- transmission-2.04.tar.xz
- Transmission-2.04.dmg
- transmission-2.04.tar.bz2
评论