Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#1185 closed Bug (fixed)

crash by maliciously-crafted .torrent files "creator" field

Reported by: charles Owned by: charles
Priority: Normal Milestone: 1.33
Component: GTK+ Client Version: 1.32
Severity: Major Keywords:
Cc:

Description (last modified by charles)

this article abut the recent uTorrent vulnerability prompted me to test Transmission for a similar stack-smashing vulnerability.

The short answer is that there are no problems on the mac: libtransmission handles a 10,000 character "creator" field just fine, and the Mac GUI has no problems either.

The gtk+ GUI, however, crashes when you open the details dialog for such a torrent. The gtklabel is apparently telling to X to draw an impossibly wide string. X refuses and terminates the program. I don't think this could be exploited to run arbitrary code, but a crash is a crash and this needs to be fixed.

Change History (3)

comment:1 Changed 13 years ago by charles

  • Status changed from new to assigned

comment:2 Changed 13 years ago by charles

  • Resolution set to fixed
  • Status changed from assigned to closed

trunk: r6500.

1.3x: r6501.

comment:3 Changed 13 years ago by charles

  • Description modified (diff)
Note: See TracTickets for help on using tickets.