Debian DSA-1967-1 : transmission - directory traversal

2010-02-24T00:00:00
ID DEBIAN_DSA-1967.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-11-02T00:00:00

Description

Dan Rosenberg discovered that Transmission, a lightwight client for the Bittorrent filesharing protocol, performs insufficient sanitising of file names specified in .torrent files. This could lead to the overwrite of local files with the privileges of the user running Transmission if the user is tricked into opening a malicious torrent file.

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1967. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44832);
  script_version("1.9");
  script_cvs_date("Date: 2019/08/02 13:32:22");

  script_cve_id("CVE-2010-0012");
  script_xref(name:"DSA", value:"1967");

  script_name(english:"Debian DSA-1967-1 : transmission - directory traversal");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Dan Rosenberg discovered that Transmission, a lightwight client for
the Bittorrent filesharing protocol, performs insufficient sanitising
of file names specified in .torrent files. This could lead to the
overwrite of local files with the privileges of the user running
Transmission if the user is tricked into opening a malicious torrent
file."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2010/dsa-1967"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the transmission packages.

For the stable distribution (lenny), this problem has been fixed in
version 1.22-1+lenny2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_cwe_id(22);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:transmission");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"5.0", prefix:"transmission", reference:"1.22-1+lenny2")) flag++;
if (deb_check(release:"5.0", prefix:"transmission-cli", reference:"1.22-1+lenny2")) flag++;
if (deb_check(release:"5.0", prefix:"transmission-common", reference:"1.22-1+lenny2")) flag++;
if (deb_check(release:"5.0", prefix:"transmission-gtk", reference:"1.22-1+lenny2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");