Bug 983228 (CVE-2016-5301) - VUL-0: CVE-2016-5301: libtorrent-rasterbar http_parser.cpp denial of service
Summary: VUL-0: CVE-2016-5301: libtorrent-rasterbar http_parser.cpp denial of service
Status: RESOLVED FIXED
Alias: CVE-2016-5301
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Alexei Sorokin
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169800/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-06 09:34 UTC by Marcus Meissner
Modified: 2016-09-10 13:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-06 09:34:20 UTC 
CVE-2016-5301

from mitre on oss-sec

    I recently opened a bug on libtorrent regarding malformed HTTP or UPnP
    responses

    https://github.com/arvidn/libtorrent/issues/780
    https://github.com/arvidn/libtorrent/pull/782


        A specially crafted HTTP response from a tracker (or potentially a
        UPnP broadcast) can crash libtorrent in the parse_chunk_header()
        function.

        AddressSanitizer: SEGV on unknown address

        Memcheck, a memory error detector
        Invalid read of size 1


Use CVE-2016-5301.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5301
http://seclists.org/oss-sec/2016/q2/478
Comment 1 Jan Engelhardt 2016-06-06 09:59:42 UTC 
This report is not for the rakshasa libtorrent.
Comment 2 Marcus Meissner 2016-06-06 10:07:33 UTC 
assign to maintainer of the other libtorrent
Comment 3 Bernhard Wiedemann 2016-06-06 10:58:22 UTC 
This is an autogenerated message for OBS integration:
This bug (983228) was mentioned in
https://build.opensuse.org/request/show/400218 42.1 / libtorrent-rasterbar
Comment 4 Bernhard Wiedemann 2016-06-06 12:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (983228) was mentioned in
https://build.opensuse.org/request/show/400263 13.2 / libtorrent-rasterbar_13.2
Comment 5 Bernhard Wiedemann 2016-06-06 13:00:17 UTC 
This is an autogenerated message for OBS integration:
This bug (983228) was mentioned in
https://build.opensuse.org/request/show/400266 13.2 / libtorrent-rasterbar
https://build.opensuse.org/request/show/400267 13.1 / libtorrent-rasterbar
Comment 6 Bernhard Wiedemann 2016-06-06 14:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (983228) was mentioned in
https://build.opensuse.org/request/show/400281 13.1 / libtorrent-rasterbar
Comment 7 Swamp Workflow Management 2016-06-06 22:01:09 UTC 
bugbot adjusting priority
Comment 8 Dmitriy Perlow 2016-06-11 16:35:54 UTC 
I use update test repo at 13.2. Recent libtorrent-rasterbar7 update to 0.16.19-2.3.2 breaks qbittorrent:
/usr/bin/qbittorrent: symbol lookup error: /usr/bin/qbittorrent: undefined symbol: _ZN10libtorrent12base32decodeERKSs
Comment 9 Dmitriy Perlow 2016-06-11 18:25:52 UTC 
Finally 0.16.19 does it not patches. Thanks to @Alexei!
Comment 10 Bernhard Wiedemann 2016-06-11 20:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (983228) was mentioned in
https://build.opensuse.org/request/show/401295 13.1 / libtorrent-rasterbar
https://build.opensuse.org/request/show/401296 13.2 / libtorrent-rasterbar
Comment 11 Alexei Sorokin 2016-06-11 20:10:59 UTC 
Yeah, I'm trying to pull 0.16.19 out and place 0.16.17 with the patch instead to 13.1 and 13.2. Really didn't expect last (and the one before that) point release of the 0.16 branch to be broken.
Comment 12 Dmitriy Perlow 2016-06-12 09:01:58 UTC 
0.16.17 is fine for 13.1 too :)
Comment 13 Alexei Sorokin 2016-06-17 20:22:18 UTC 
It's all settled then.
Comment 14 Swamp Workflow Management 2016-06-20 19:07:50 UTC 
openSUSE-SU-2016:1635-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 983228
CVE References: CVE-2016-5301
Sources used:
openSUSE Leap 42.1 (src):    libtorrent-rasterbar-1.0.9-7.1
openSUSE 13.2 (src):    libtorrent-rasterbar-0.16.17-2.5.1
Comment 15 Swamp Workflow Management 2016-06-26 11:07:33 UTC 
openSUSE-SU-2016:1683-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 983228
CVE References: 
Sources used:
openSUSE 13.1 (src):    libtorrent-rasterbar-0.16.17-2.5.1
Comment 16 Swamp Workflow Management 2016-09-10 13:08:45 UTC 
openSUSE-SU-2016:2283-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 983228
CVE References: CVE-2016-5301
Sources used:
openSUSE Leap 42.1 (src):    libtorrent-rasterbar-1.0.10-11.2