Am 13.03.2017 um 03:04 schrieb Andrew Starr-Bochicchio: >> Il 06 mar 2017 11:49 PM, Markus Koschany <apo@debian.org> ha scritto: >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of qbittorrent: >> https://security-tracker.debian.org/tracker/source-package/qbittorrent >> >> Would you like to take care of this yourself? > > I was able to investigate this today. Wheezy shipped with qbittorrent > 2.9.8-1. qbittorrent version 3.2.0, released May 10th 2015, saw a > major refactoring of the webui's code. From the changelog: [0] > >> FEATURE: WEBUI code rewritten, refactored and improved. (glassez, pmzqla, buinsky) > > Reviewing the patches for both CVEs as well as the code shipped with > 2.9.8, these fixes do not apply. While it's quite possible similar > issues may exist in Wheezy, the code base has changed significantly > enough to say that these specific bugs are not in Wheezy. Thank you for the investigation. I agree that the code base underwent a major refactoring and probably CVE-2017-6504 does not apply to Wheezy. However I think Wheezy is still affected by CVE-2017-6504 which is basically the absence of an escape function to sanitize several strings and values. For instance this can be seen if you compare the following lines from propertieswidget.cpp and peerlistwidget.cpp from before the fix and in Wheezy: comment_text->setText(Utils::Misc::parseHtmlLinks(m_torrent->comment())); Wheezy: comment_text->setHtml(misc::parseHtmlLinks(h.comment())); peerlistwidget.cpp m_listModel->setData(m_listModel->index(row, PeerListDelegate::CLIENT), peer.client()); Wheezy: listModel->setData(listModel->index(row, PeerListDelegate::CLIENT), misc::toQStringU(peer.client)); Different code but strings are not escaped. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature