CVE-2018-5702: Mitigate dns rebinding attacks against transmission daemon

[mafredri]

I wanted to make you all aware of a recent vulnerability in Transmission: transmission: rpc session-id mechanism design flaw discovered by Taviso Ormandy. He created a patch and wrote about it on the GitHub repo for Transmission: CVE-2018-5702: Mitigate dns rebinding attacks against daemon.

I've released Transmission 2.92.2 with Tavisos patches applied.

PLEASE NOTE: I'm not the official maintainer of Transmission, so I can't release my update on App Central. My version is also not backwards-compatible with the App Central version (you can upgrade to my app, but not revert back). I've written about how my app differs from the App Central version here.

[Sin89]

HI Mafedri,


Your link doesn't seem to work for downloading the APK you've built.


May I suggest uploading it to Github or somwhere else?

[Mr.Crowley]

Asustor seem to have removed Transmission from the App Central, maybe now you can push the last Transmission release to Asustor Mafredi?

[mafredri]

Hey Mr.Crowley, I won't be pushing Transmission to App Central since I'm not the official maintainer and I'm not sure how much longer I'll be maintaining apps for ADM.

That said, you can find Transmission 2.93 here: https://app.box.com/s/2nkeh82trip2ppsplk12ddt6yfq1er9c

[dhstsw]

Well, sorry to be late to the party (and knowing that mafredi may not be here anymore).

both 2.92-2 and 2.93 (i386 for AS304T):

Code: Select all

root@asustor:/volume1/.@plugins/AppCentral/transmission # /usr/local/AppCentral/transmission/CONTROL/start-stop.sh start
Starting transmission-daemon...
start-stop-daemon: can't execute 'transmission-daemon': No such file or directory

File is in bin folder.

even modifying start-stop.sh with:

Code: Select all

DAEMON=$APKG_PKG_DIR/bin/transmission-daemon

gives the same result

Any hint anyone? I'm quite f***ed without (and yes, even kosyak release isn't (officially) downloadable anymore, and it's still unfixed).

[mafredri]

Well, sorry to be late to the party (and knowing that mafredi may not be here anymore).

both 2.92-2 and 2.93 (i386 for AS304T):

Code: Select all

root@asustor:/volume1/.@plugins/AppCentral/transmission # /usr/local/AppCentral/transmission/CONTROL/start-stop.sh start
Starting transmission-daemon...
start-stop-daemon: can't execute 'transmission-daemon': No such file or directory

File is in bin folder.

even modifying start-stop.sh with:

Code: Select all

DAEMON=$APKG_PKG_DIR/bin/transmission-daemon

gives the same result

Any hint anyone? I'm quite f***ed without (and yes, even kosyak release isn't (officially) downloadable anymore, and it's still unfixed).

You need to use $PKG_DIR instead of $APKG_PKG_DIR, the latter is only defined during installation. But you shouldn't need to change the script at all, the binary should be linked to /usr/local/bin if the transmission app is activated in App Central.

[dhstsw]

You need to use $PKG_DIR instead of $APKG_PKG_DIR, the latter is only defined during installation. But you shouldn't need to change the script at all, the binary should be linked to /usr/local/bin if the transmission app is activated in App Central.

Then that must be the reason: i don't keep transmission activated in App Central (i launch it *after* a VPN connection has been set up, via a separate script).

But i guess i could just LN it from /transmision/bin to /usr/local/bin then.

I'll try.

Thanks for the answer!

[dhstsw]

Or course the LN i made don't survive reboot.

Solved with:

Code: Select all

DAEMON=$PKG_DIR/bin/transmission-daemon

in start-stop.sh

thx.