USN-885-1: Transmission vulnerabilities

Ubuntu Security Notice USN-885-1

18th January, 2010

transmission vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software description

  • transmission

Details

It was discovered that the Transmission web interface was vulnerable to
cross-site request forgery (CSRF) attacks. If a user were tricked into
opening a specially crafted web page in a browser while Transmission was
running, an attacker could trigger commands in Transmission. This issue
affected Ubuntu 9.04. (CVE-2009-1757)

Dan Rosenberg discovered that Transmission did not properly perform input
validation when processing torrent files. If a user were tricked into
opening a crafted torrent file, an attacker could overwrite files via
directory traversal. (CVE-2010-0012)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.10:
transmission-gtk 1.75-0ubuntu2.2
transmission-cli 1.75-0ubuntu2.2
transmission-qt 1.75-0ubuntu2.2
Ubuntu 9.04:
transmission-gtk 1.51-0ubuntu3.1
transmission-cli 1.51-0ubuntu3.1
Ubuntu 8.10:
transmission-gtk 1.34-0ubuntu2.3
transmission-cli 1.34-0ubuntu2.3
Ubuntu 8.04 LTS:
transmission-gtk 1.06-0ubuntu6.1
transmission-cli 1.06-0ubuntu6.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Transmission to effect
the necessary changes.

References

CVE-2009-1757, CVE-2010-0012