Bug#964868: stretch-pu: package transmission/2.94-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes a security issue in Transmission, which doesn't warrant a DSA,
but still good to fix in stable. I've tested the update extensively
(I had prepared the update for 10.4, but it fell through the cracks)
Debdiff attached.
Cheers,
Moritz
diff -Nru transmission-2.94/debian/changelog transmission-2.94/debian/changelog
--- transmission-2.94/debian/changelog 2019-01-01 00:07:49.000000000 +0100
+++ transmission-2.94/debian/changelog 2020-05-29 00:05:53.000000000 +0200
@@ -1,3 +1,9 @@
+transmission (2.94-2+deb10u1) buster; urgency=medium
+
+ * CVE-2018-10756 (Closes: #961461)
+
+ -- Moritz Muehlenhoff <jmm@debian.org> Fri, 29 May 2020 00:05:53 +0200
+
transmission (2.94-2) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru transmission-2.94/debian/patches/CVE-2018-10756.patch transmission-2.94/debian/patches/CVE-2018-10756.patch
--- transmission-2.94/debian/patches/CVE-2018-10756.patch 1970-01-01 01:00:00.000000000 +0100
+++ transmission-2.94/debian/patches/CVE-2018-10756.patch 2020-05-29 00:05:53.000000000 +0200
@@ -0,0 +1,66 @@
+Backport to 2.94 of
+
+From 2123adf8e5e1c2b48791f9d22fc8c747e974180e Mon Sep 17 00:00:00 2001
+From: Mike Gelfand <mikedld@mikedld.com>
+Date: Sun, 28 Apr 2019 11:27:33 +0300
+Subject: [PATCH] CVE-2018-10756: Fix heap-use-after-free in tr_variantWalk
+
+In libtransmission/variant.c, function tr_variantWalk, when the variant
+stack is reallocated, a pointer to the previously allocated memory
+region is kept. This address is later accessed (heap use-after-free)
+while walking back down the stack, causing the application to crash.
+The application can be any application which uses libtransmission, such
+as transmission-daemon, transmission-gtk, transmission-show, etc.
+
+Reported-by: Tom Richards <tom@tomrichards.net>
+
+--- transmission-2.94.orig/libtransmission/variant.c
++++ transmission-2.94/libtransmission/variant.c
+@@ -820,7 +820,7 @@ compareKeyIndex (const void * va, const
+ struct SaveNode
+ {
+ const tr_variant * v;
+- tr_variant sorted;
++ tr_variant* sorted;
+ size_t childIndex;
+ bool isVisited;
+ };
+@@ -849,26 +849,31 @@ nodeConstruct (struct SaveNode * node,
+
+ qsort (tmp, n, sizeof (struct KeyIndex), compareKeyIndex);
+
+- tr_variantInitDict (&node->sorted, n);
++ node->sorted = tr_new(tr_variant, 1);
++ tr_variantInitDict(node->sorted, n);
++
+ for (i=0; i<n; ++i)
+- node->sorted.val.l.vals[i] = *tmp[i].val;
+- node->sorted.val.l.count = n;
++ node->sorted->val.l.vals[i] = *tmp[i].val;
++ node->sorted->val.l.count = n;
+
+ tr_free (tmp);
+
+- node->v = &node->sorted;
++ v = node->sorted;
++
+ }
+ else
+ {
+- node->v = v;
++ node->sorted = NULL;
+ }
++
++ node->v = v;
+ }
+
+ static void
+ nodeDestruct (struct SaveNode * node)
+ {
+- if (node->v == &node->sorted)
+- tr_free (node->sorted.val.l.vals);
++ if (node->v == node->sorted)
++ tr_free (node->sorted->val.l.vals);
+ }
+
+ /**
diff -Nru transmission-2.94/debian/patches/series transmission-2.94/debian/patches/series
--- transmission-2.94/debian/patches/series 2019-01-01 00:07:49.000000000 +0100
+++ transmission-2.94/debian/patches/series 2020-05-29 00:05:53.000000000 +0200
@@ -4,3 +4,4 @@
transmission-daemon_execstop_service.patch
ayatana-indicators.patch
patch-vendored-libdht.patch
+CVE-2018-10756.patch
Reply to: