Two vulnerabilities in KDE BitTorrent client KTorrent
Version 2.1.2 of the open-source BitTorrent client KTorrent for KDE removes two vulnerabilities. The first one is said to enable an attacker to cause the application to crash. According to the bug report by Ubuntu the vulnerability also allows code to be injected onto a system and executed. The vulnerability is found in the module chunkcounter.cpp and is triggered by large idx values.
The second vulnerability is said to allow the deliberate overwriting of files on a system. The problem occurs because KTorrent does not correctly validate the destination file paths or the HAVE statements sent by torrent peers. Inserting the string .. into the filename is said to be all that is needed to break out of defined directories.
The source code of the new KTorrent is available for download at ktorrent.org. The Linux distributor Ubuntu has also released debugged packages.