diff options
author | wiz <wiz@pkgsrc.org> | 2018-01-16 09:37:00 +0000 |
---|---|---|
committer | wiz <wiz@pkgsrc.org> | 2018-01-16 09:37:00 +0000 |
commit | 731b4c4bfc2e448adb969eddf6c5a5d4dca76082 (patch) | |
tree | c9adbc2e5cafd91799fda8a7bb8b090f2694325b /net | |
parent | f113fe8bcc137c1f53eef2072bd52dc3378b8276 (diff) | |
download | pkgsrc-731b4c4bfc2e448adb969eddf6c5a5d4dca76082.tar.gz |
transmission*: Fix security issue
Fix a weakness that allows remote code execution via the Transmission
RPC server using DNS rebinding:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
Patch adapted from Tavis Ormandy's patch on the Transmission master
branch to the Transmission 2.92 release by Leo Famulari
<leo@famulari.name>:
https://github.com/transmission/transmission/pull/468/commits
Via FreeBSD ports.
Bump PKGREVISION.
Diffstat (limited to 'net')
-rw-r--r-- | net/transmission-gtk/Makefile | 4 | ||||
-rw-r--r-- | net/transmission-qt/Makefile | 4 | ||||
-rw-r--r-- | net/transmission/Makefile | 4 | ||||
-rw-r--r-- | net/transmission/distinfo | 9 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_quark.c | 39 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_quark.h | 39 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_rpc-server.c | 224 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_rpc-server.h | 41 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_session.c | 39 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_transmission.h | 38 | ||||
-rw-r--r-- | net/transmission/patches/patch-libtransmission_web.c | 38 |
11 files changed, 472 insertions, 7 deletions
diff --git a/net/transmission-gtk/Makefile b/net/transmission-gtk/Makefile index cc6d4ff2226..6e1ccdb0cca 100644 --- a/net/transmission-gtk/Makefile +++ b/net/transmission-gtk/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.25 2018/01/01 21:18:49 adam Exp $ +# $NetBSD: Makefile,v 1.26 2018/01/16 09:37:00 wiz Exp $ PKGNAME= transmission-gtk-${VERSION} -PKGREVISION= 9 +PKGREVISION= 10 USE_LANGUAGES= c c++ INSTALL_ENV+= INSTALL_ROOT=${DESTDIR}${PREFIX} diff --git a/net/transmission-qt/Makefile b/net/transmission-qt/Makefile index 5943ad93d50..11547e22fe3 100644 --- a/net/transmission-qt/Makefile +++ b/net/transmission-qt/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.29 2018/01/01 21:18:49 adam Exp $ +# $NetBSD: Makefile,v 1.30 2018/01/16 09:37:00 wiz Exp $ PKGNAME= transmission-qt-${VERSION} -PKGREVISION= 12 +PKGREVISION= 13 USE_LANGUAGES= c c++ MAKE_ENV+= QTDIR=${QTDIR} diff --git a/net/transmission/Makefile b/net/transmission/Makefile index 253cd409ffb..fbb00253792 100644 --- a/net/transmission/Makefile +++ b/net/transmission/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.12 2018/01/01 21:18:49 adam Exp $ +# $NetBSD: Makefile,v 1.13 2018/01/16 09:37:00 wiz Exp $ CONFLICTS+= Transmission-[0-9]* @@ -8,6 +8,6 @@ pre-configure: CONFIGURE_ARGS+= --disable-mac CONFIGURE_ARGS+= --without-gtk -PKGREVISION= 5 +PKGREVISION= 6 .include "../../net/transmission/Makefile.common" .include "../../mk/bsd.pkg.mk" diff --git a/net/transmission/distinfo b/net/transmission/distinfo index d4717aea29d..151107075ff 100644 --- a/net/transmission/distinfo +++ b/net/transmission/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.12 2017/07/13 13:38:59 wiz Exp $ +$NetBSD: distinfo,v 1.13 2018/01/16 09:37:00 wiz Exp $ SHA1 (transmission-2.92.tar.xz) = 2140feba45c4471392033d21b86b6f3ef780d88e RMD160 (transmission-2.92.tar.xz) = 6da78ce333fa2ea69aa4954c3b052a818ce7c93e @@ -6,4 +6,11 @@ SHA512 (transmission-2.92.tar.xz) = 4d99476bee88cedcc4238a0eee64a4089016933cbfc1 Size (transmission-2.92.tar.xz) = 3378116 bytes SHA1 (patch-ab) = 796faa7c61762dc3ffe563748e55160c827149d2 SHA1 (patch-libtransmission_platform-quota.c) = 2d9758d24c4329021e0774ac9f8bb3dd94592965 +SHA1 (patch-libtransmission_quark.c) = 70b8d8d3de0ae480433464a1dbee4488af3b64d9 +SHA1 (patch-libtransmission_quark.h) = 5c4b0a24e2e142a3504c232b333fa7665fe8178f +SHA1 (patch-libtransmission_rpc-server.c) = 38aba449da55ae7f7c492b377d3ef6f5f54cc360 +SHA1 (patch-libtransmission_rpc-server.h) = b47127d42aaf1315719531f7af0c9f6a6dd14f6f +SHA1 (patch-libtransmission_session.c) = 29c159b6297eed2da9da51ec9ce254a871ce21c1 +SHA1 (patch-libtransmission_transmission.h) = 349c63f0ec98fe632aff32c71cdb3918d7e08a19 +SHA1 (patch-libtransmission_web.c) = 8483cbe1155ac07d82c6733ceda48274d157b207 SHA1 (patch-qt_qtr.pro) = 982c76669f41f154470a91b4b7c9cb5dcc41132c diff --git a/net/transmission/patches/patch-libtransmission_quark.c b/net/transmission/patches/patch-libtransmission_quark.c new file mode 100644 index 00000000000..cda163fb466 --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_quark.c @@ -0,0 +1,39 @@ +$NetBSD: patch-libtransmission_quark.c,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/quark.c.orig 2016-01-09 18:02:58.738698801 +0000 ++++ libtransmission/quark.c +@@ -289,6 +289,8 @@ static const struct tr_key_struct my_sta + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, diff --git a/net/transmission/patches/patch-libtransmission_quark.h b/net/transmission/patches/patch-libtransmission_quark.h new file mode 100644 index 00000000000..926a75a5848 --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_quark.h @@ -0,0 +1,39 @@ +$NetBSD: patch-libtransmission_quark.h,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/quark.h.orig 2015-06-28 19:23:49.613528096 +0000 ++++ libtransmission/quark.h +@@ -291,6 +291,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, diff --git a/net/transmission/patches/patch-libtransmission_rpc-server.c b/net/transmission/patches/patch-libtransmission_rpc-server.c new file mode 100644 index 00000000000..5d2ee9ac7a3 --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_rpc-server.c @@ -0,0 +1,224 @@ +$NetBSD: patch-libtransmission_rpc-server.c,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/rpc-server.c.orig 2016-01-09 18:02:58.740698836 +0000 ++++ libtransmission/rpc-server.c +@@ -52,6 +52,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++ bool isHostWhitelistEnabled; + tr_port port; + char * url; + struct in_addr bindAddress; +@@ -63,6 +64,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++ tr_list * hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++ /* If password auth is enabled, any hostname is permitted. */ ++ if (server->isPasswordEnabled) ++ { ++ return true; ++ } ++ ++ char const* const host = evhttp_find_header(req->input_headers, "Host"); ++ ++ // If whitelist is disabled, no restrictions. ++ if (!server->isHostWhitelistEnabled) ++ return true; ++ ++ /* No host header, invalid request. */ ++ if (host == NULL) ++ { ++ return false; ++ } ++ ++ /* Host header might include the port. */ ++ char* const hostname = tr_strndup(host, strcspn(host, ":")); ++ ++ /* localhost or ipaddress is always acceptable. */ ++ if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ ++ /* Otherwise, hostname must be whitelisted. */ ++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { ++ if (tr_wildmat(hostname, l->data)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ } ++ ++ tr_free(hostname); ++ return false; ++} ++ + static bool + test_session_id (struct tr_rpc_server * server, struct evhttp_request * req) + { +@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * + handle_upload (req, server); + } + #ifdef REQUIRE_SESSION_ID ++ else if (!isHostnameAllowed(server, req)) ++ { ++ char* tmp = tr_strdup_printf( ++ "<p>Transmission received your request, but the hostname was unrecognized.</p>" ++ "<p>To fix this, choose one of the following options:" ++ "<ul>" ++ "<li>Enable password authentication, then any hostname is allowed.</li>" ++ "<li>Add the hostname you want to use to the whitelist in settings.</li>" ++ "</ul></p>" ++ "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>" ++ "<p>This requirement has been added to help prevent " ++ "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> " ++ "attacks.</p>"); ++ send_simple_response(req, 421, tmp); ++ tr_free(tmp); ++ } ++ + else if (!test_session_id (server, req)) + { + const char * sessionId = get_current_session_id (server); +@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * + "<li> When you get this 409 error message, resend your request with the updated header" + "</ol></p>" + "<p>This requirement has been added to help prevent " +- "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " ++ "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " + "attacks.</p>" + "<p><code>%s: %s</code></p>", + TR_RPC_SESSION_ID_HEADER, sessionId); +@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * serv + return server->url ? server->url : ""; + } + +-void +-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) ++static void ++tr_rpcSetList (char const* whitelistStr, tr_list** list) + { + void * tmp; + const char * walk; + +- /* keep the string */ +- tmp = server->whitelistStr; +- server->whitelistStr = tr_strdup (whitelistStr); +- tr_free (tmp); +- + /* clear out the old whitelist entries */ +- while ((tmp = tr_list_pop_front (&server->whitelist))) ++ while ((tmp = tr_list_pop_front (list)) != NULL) + tr_free (tmp); + + /* build the new whitelist entries */ +@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * serv + const char * delimiters = " ,;"; + const size_t len = strcspn (walk, delimiters); + char * token = tr_strndup (walk, len); +- tr_list_append (&server->whitelist, token); ++ tr_list_append (list, token); + if (strcspn (token, "+-") < len) + tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'! Are you using an old ACL by mistake?)", token); + else +@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * serv + } + } + ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ tr_rpcSetList(whitelistStr, &server->hostWhitelist); ++} ++ ++void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ /* keep the string */ ++ char* const tmp = server->whitelistStr; ++ server->whitelistStr = tr_strdup(whitelistStr); ++ tr_free(tmp); ++ ++ tr_rpcSetList(whitelistStr, &server->whitelist); ++} ++ + const char* + tr_rpcGetWhitelist (const tr_rpc_server * server) + { +@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_ + return server->isWhitelistEnabled; + } + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled) ++{ ++ server->isHostWhitelistEnabled = isEnabled; ++} ++ + /**** + ***** PASSWORD + ****/ +@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session * session, tr_va + else + tr_rpcSetWhitelistEnabled (s, boolVal); + ++ key = TR_KEY_rpc_host_whitelist_enabled; ++ ++ if (!tr_variantDictFindBool(settings, key, &boolVal)) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelistEnabled(s, boolVal); ++ } ++ ++ key = TR_KEY_rpc_host_whitelist; ++ ++ if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelist(s, str); ++ } ++ + key = TR_KEY_rpc_authentication_required; + if (!tr_variantDictFindBool (settings, key, &boolVal)) + missing_settings_key (key); diff --git a/net/transmission/patches/patch-libtransmission_rpc-server.h b/net/transmission/patches/patch-libtransmission_rpc-server.h new file mode 100644 index 00000000000..0ade21cf0ab --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_rpc-server.h @@ -0,0 +1,41 @@ +$NetBSD: patch-libtransmission_rpc-server.h,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/rpc-server.h.orig 2014-12-10 19:22:42.938222700 +0000 ++++ libtransmission/rpc-server.h +@@ -49,6 +49,10 @@ void tr_rpcSetWhitelist (tr_r + + const char* tr_rpcGetWhitelist (const tr_rpc_server * server); + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled); ++ ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist); ++ + void tr_rpcSetPassword (tr_rpc_server * server, + const char * password); + diff --git a/net/transmission/patches/patch-libtransmission_session.c b/net/transmission/patches/patch-libtransmission_session.c new file mode 100644 index 00000000000..62724aa7f23 --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_session.c @@ -0,0 +1,39 @@ +$NetBSD: patch-libtransmission_session.c,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/session.c.orig 2016-01-09 18:02:58.743698889 +0000 ++++ libtransmission/session.c +@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant + tr_variantDictAddStr (d, TR_KEY_rpc_username, ""); + tr_variantDictAddStr (d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST); + tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled, true); ++ tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST); ++ tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true); + tr_variantDictAddInt (d, TR_KEY_rpc_port, atoi (TR_DEFAULT_RPC_PORT_STR)); + tr_variantDictAddStr (d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR); + tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled, true); diff --git a/net/transmission/patches/patch-libtransmission_transmission.h b/net/transmission/patches/patch-libtransmission_transmission.h new file mode 100644 index 00000000000..55e007ed82b --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_transmission.h @@ -0,0 +1,38 @@ +$NetBSD: patch-libtransmission_transmission.h,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/transmission.h.orig 2015-12-31 18:33:37.576878516 +0000 ++++ libtransmission/transmission.h +@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (vo + #define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0" + #define TR_DEFAULT_BIND_ADDRESS_IPV6 "::" + #define TR_DEFAULT_RPC_WHITELIST "127.0.0.1" ++#define TR_DEFAULT_RPC_HOST_WHITELIST "" + #define TR_DEFAULT_RPC_PORT_STR "9091" + #define TR_DEFAULT_RPC_URL_STR "/transmission/" + #define TR_DEFAULT_PEER_PORT_STR "51413" diff --git a/net/transmission/patches/patch-libtransmission_web.c b/net/transmission/patches/patch-libtransmission_web.c new file mode 100644 index 00000000000..674cf94c29f --- /dev/null +++ b/net/transmission/patches/patch-libtransmission_web.c @@ -0,0 +1,38 @@ +$NetBSD: patch-libtransmission_web.c,v 1.1 2018/01/16 09:37:00 wiz Exp $ + +Fix a weakness that allows remote code execution via the Transmission +RPC server using DNS rebinding: + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 + +Patch adapted from Tavis Ormandy's patch on the Transmission master +branch to the Transmission 2.92 release by Leo Famulari +<leo@famulari.name>: + +https://github.com/transmission/transmission/pull/468/commits + +From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001 +From: Tavis Ormandy <taviso@google.com> +Date: Thu, 11 Jan 2018 10:00:41 -0800 +Subject: [PATCH] mitigate dns rebinding attacks against daemon + +--- + libtransmission/quark.c | 2 + + libtransmission/quark.h | 2 + + libtransmission/rpc-server.c | 116 +++++++++++++++++++++++++++++++++++++---- + libtransmission/rpc-server.h | 4 ++ + libtransmission/session.c | 2 + + libtransmission/transmission.h | 1 + + libtransmission/web.c | 3 ++ + 7 files changed, 121 insertions(+), 9 deletions(-) + +--- libtransmission/web.c.orig 2015-12-31 18:33:37.567878356 +0000 ++++ libtransmission/web.c +@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code) + case 415: return "Unsupported Media Type"; + case 416: return "Requested Range Not Satisfiable"; + case 417: return "Expectation Failed"; ++ case 421: return "Misdirected Request"; + case 500: return "Internal Server Error"; + case 501: return "Not Implemented"; + case 502: return "Bad Gateway"; |