KTorrent vulnerability

2007-05-1800:00:00

ubuntu.com

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

7.1 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

84.0%

JSON

Releases

Ubuntu 7.04
Ubuntu 6.10
Ubuntu 6.06

Details

USN-436-1 fixed a vulnerability in KTorrent. The original fix for path
traversal was incomplete, allowing for alternate vectors of attack.
This update solves the problem.

Original advisory details:

Bryan Burns of Juniper Networks discovered that KTorrent did not
correctly validate the destination file paths nor the HAVE statements
sent by torrent peers. A malicious remote peer could send specially
crafted messages to overwrite files or execute arbitrary code with user
privileges.

OSVersionArchitecturePackageVersionFilename
Ubuntu7.04noarchktorrent< 2.1-0ubuntu2.1UNKNOWN
Ubuntu6.10noarchktorrent< 2.0.3+dfsg1-0ubuntu1.2UNKNOWN
Ubuntu6.06noarchktorrent< 1.2-0ubuntu5.2UNKNOWN