swizzin icon indicating copy to clipboard operation
swizzin copied to clipboard
verified publisher icon swizzin

[BUG] Critical qBittorrent RCE Vulnerability

Open chimp3582 opened this issue 1 year ago • 6 comments

What happened?

as currently all qbittorrent versions from 3.2.1 to 5.0.0 are affected by a critical RCE vulnerability i wanted to ask if it would be possible to add newer versions to the repo or fix the vulnerability without updating qbittorrent.

https://cybersecuritynews.com/qbittorrent-rce-vulnerability/

Swizzin commit

a4062a1

What OS are you using?

Ubuntu 22.04 (Jammy)

What architecture is your OS?

amd64

Relevant logs and output

https://cybersecuritynews.com/qbittorrent-rce-vulnerability/

chimp3582 avatar Nov 04 '24 14:11 chimp3582

Hi there, and thanks for the issue report.

Unfortunately this is not an issue for headless clients and we would hardly consider this bug critical.

I understand the concern and the desire to upgrade. The Swizzin team has assessed the report and disagree with the level of concern that has been levied against older versions of qbittorrent at this time, especially the headless client on Linux:

  1. The first issue related to Python is a specific issue to Windows
  2. There is no auto update mechanism in the nox version which renders this path to exploitation null
  3. The RSS feed issue may bear some weight; however this would need to be configured by you to begin with
  4. Maxmind itself would need to be compromised for the final concern and is simply a theoretical possibly rather than a currently realistic attack vector

Finally, the issue at play is a MITM attack and not a RCE. This has been miscategorized by the author of the article and has been spread online.

Additionally, there are far more concerning reports to me of memory leaks in 5.0, which could be far worse than the implications of simply using RSS feeds at this time.

The upgrade to qbittorrent will come at in due time; however it will not be rushed out due to fear mongering and sensationalized allegations against qbit, where the majority of concerns are currently moot.

If you have any questions on the subject, please forward them to our discord for further discussion.

brettpetch avatar Nov 04 '24 15:11 brettpetch

Hello. What manipulations need to be done to update to 5.0.

I get this error

Ubuntu 24 ERROR The cmake build of libtorrent did not complete successfully

BrevisVita avatar Nov 15 '24 22:11 BrevisVita

Can you supply installer logs? There weren't actually any changes to the libtorrent compile in the changes.

liaralabs avatar Nov 15 '24 22:11 liaralabs

I get an error when trying to update from 4.6.7 to 5.0.1

/usr/include/c++/13/array:109:55: note: at offset [12, 20] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 /usr/include/c++/13/array:109:55: note: at offset [44, 9223372036854775804] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 In static member function ‘static constexpr _OI std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m(_II, _II, _OI) [with _II = const char*; _OI = unsigned char*]’, inlined from ‘constexpr _OI std::__copy_move_a2(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:506:30, inlined from ‘constexpr _OI std::__copy_move_a1(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:533:42, inlined from ‘constexpr _OI std::__copy_move_a(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:540:31, inlined from ‘constexpr _OI std::copy(_II, _II, _OI) [with _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:633:7, inlined from ‘bool libtorrent::extract_peer_info(const bdecode_node&, peer_entry&, error_code&)’ at /tmp/libtorrent/src/http_tracker_connection.cpp:473:13: /usr/include/c++/13/bits/stl_algobase.h:388:25: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 388 | __result = __first; | ~~~~~~~~~~^~~~~~~~~~ /usr/include/c++/13/array: In function ‘bool libtorrent::extract_peer_info(const bdecode_node&, peer_entry&, error_code&)’: /usr/include/c++/13/array:109:55: note: at offset [45, 9223372036854775805] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 109 | typename __array_traits<_Tp, _Nm>::_Type _M_elems; | ^~~~~~~~ /usr/include/c++/13/array:109:55: note: at offset [13, 20] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 /usr/include/c++/13/array:109:55: note: at offset [45, 9223372036854775805] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 In static member function ‘static constexpr _OI std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m(_II, _II, _OI) [with _II = const char; _OI = unsigned char]’, inlined from ‘constexpr _OI std::__copy_move_a2(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:506:30, inlined from ‘constexpr _OI std::__copy_move_a1(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:533:42, inlined from ‘constexpr _OI std::__copy_move_a(_II, _II, _OI) [with bool _IsMove = false; _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:540:31, inlined from ‘constexpr _OI std::copy(_II, _II, _OI) [with _II = const char*; _OI = unsigned char*]’ at /usr/include/c++/13/bits/stl_algobase.h:633:7, inlined from ‘bool libtorrent::extract_peer_info(const bdecode_node&, peer_entry&, error_code&)’ at /tmp/libtorrent/src/http_tracker_connection.cpp:473:13: /usr/include/c++/13/bits/stl_algobase.h:388:25: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 388 | *__result = *__first; | ~~~~~~~~~~^~~~~~~~~~ /usr/include/c++/13/array: In function ‘bool libtorrent::extract_peer_info(const bdecode_node&, peer_entry&, error_code&)’: /usr/include/c++/13/array:109:55: note: at offset [46, 9223372036854775806] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 109 | typename __array_traits<_Tp, _Nm>::_Type _M_elems; | ^~~~~~~~ /usr/include/c++/13/array:109:55: note: at offset [14, 20] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 /usr/include/c++/13/array:109:55: note: at offset [46, 9223372036854775806] into destination object ‘std::array<unsigned int, 5>::_M_elems’ of size 20 [50/156] Building CXX object CMakeFiles/torrent-rasterbar.dir/src/http_seed_connection.cpp.o [51/156] Building CXX object CMakeFiles/torrent-rasterbar.dir/src/ip_notifier.cpp.o [52/156] Building CXX object CMakeFiles/torrent-rasterbar.dir/src/ip_voter.cpp.o ninja: build stopped: subcommand failed. [2m[Fri Nov 15 22:05:52](B[m [31m[1mERROR The cmake build of libtorrent did not complete successfully(B[m [2m[Fri Nov 15 22:05:52](B[m [31m[3m Please consult the above and/or check the log (less -R +G /root/logs/swizzin.log)(B[m

BrevisVita avatar Nov 15 '24 22:11 BrevisVita

I have the same message in my compile logs and my build is fine. Can you supply more logs? You should be able to attach files to the issue

liaralabs avatar Nov 15 '24 22:11 liaralabs

After 6 unsuccessful update, as you can see in the log, I have Ubuntu 24 version C++ 13, I tried to update C++ 13 to the new version C++ 14. Now I ran box upgrade qbittorrent again and the installation was successful

Thank you for your quick response, maybe this information will help in the future

BrevisVita avatar Nov 15 '24 23:11 BrevisVita