bugtest Posted January 15, 2008 Report Share Posted January 15, 2008 I have found a problem in the latest version of utorrent (and bittorrent too) which allows the crash of the program from remote (luckily doesn't seem possible worst effects other than the crash) , where I can report it? Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 15, 2008 Report Share Posted January 15, 2008 Right here Link to comment Share on other sites More sharing options...
bugtest Posted January 15, 2008 Author Report Share Posted January 15, 2008 Ok, the problem is in the name of the clients (like utorrent 1.7.5 or bitcomet or Bittorrent and so on) which is visualized in the Peers window.The name is copied in the buffer of the GUI without checking its length so is possible that anyone from outside can connect to the utorrent/bittorrent TCP port using a long client's name and the program will crash if or when the user watches the Peers window.I have also written a proof-of-concept for testing the bug. Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 15, 2008 Report Share Posted January 15, 2008 I have also written a proof-of-concept for testing the bug.Could you post it somewhere please? Link to comment Share on other sites More sharing options...
bugtest Posted January 15, 2008 Author Report Share Posted January 15, 2008 Sure, although I wanted to avoid to make it public on a forum, anyway the link is the following:if the link doesn't work copy it in the browser's bar.Using is trivial, you must specify the SHA1 hash of the torrent located on the utorrent/bittorrent you want to crash or just pass the name of the torrent file, then the host and the port of the target.For example: ruttorrent debian.torrent 127.0.0.1 6881then go in the Peers window of that specific torrent you are sharing and your utorrent/bittorrent client will crash immediately or, in some cases, will crash later. Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 15, 2008 Report Share Posted January 15, 2008 Thanks a lot for letting us know about this. Link to comment Share on other sites More sharing options...
bugtest Posted January 15, 2008 Author Report Share Posted January 15, 2008 so the next beta will contain the fix right?and for BitTorrent, will the bug fixed there too? Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 15, 2008 Report Share Posted January 15, 2008 I have to clear it with the product manager, but yeah it is already fixed in the 1.7 and 1.8 branches Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 15, 2008 Report Share Posted January 15, 2008 .. He reported a crash of the 1.6 branch? Nice find. Link to comment Share on other sites More sharing options...
Firon Posted January 15, 2008 Report Share Posted January 15, 2008 Read better. Applies to all versions. Link to comment Share on other sites More sharing options...
Greg Hazel Posted January 16, 2008 Report Share Posted January 16, 2008 Thanks for the report! This is fixed in 1.7.6, upgrading is strongly recommended. http://download.utorrent.com/1.7.6/utorrent.exe Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 16, 2008 Report Share Posted January 16, 2008 Since 1.7.6 includes all fixes up to current, is the changelog correct in the ONLY changes applicable to the 1.7 line? Or are all issues not specific to 1.8 interface/functionality considered "fixed" in this new build? Link to comment Share on other sites More sharing options...
Firon Posted January 16, 2008 Report Share Posted January 16, 2008 1.7.6 has the 4 changes mentioned. Nothing more, nothing less. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 16, 2008 Report Share Posted January 16, 2008 That's a shame. I was hoping the fixes alus helped me verify relating to peer lists and banning wouldn't have to wait for 1.8. Link to comment Share on other sites More sharing options...
Switeck Posted January 16, 2008 Report Share Posted January 16, 2008 As funny as this sounds, I kind of hope uTorrent v1.6 line is vulnerable to this...that will give various web tracker admins with their head in the sand reason to upgrade uTorrent or ban uTorrent altogether. ...Of course, we know which one they'll likely choose. If they haven't banned BitComet, then following their same logic they need to read "BitComet is Evil" thread. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 16, 2008 Report Share Posted January 16, 2008 LOL, but that is a good thing. It will definitely divulge the nonsensical trackers/admins out there. Who instead of wishing their users to be protected, choose to have them use outdated/unsupported software... you think any of them offer support on how to use uT, ROFL. In any case I don't believe I ever suffered the crash bug due to unchecked clientids but I'm running 1.7.6 now (I miss the program information injected into the early builds of 1.8 :/ ) It was so tidy in process explorer, heh Link to comment Share on other sites More sharing options...
bugtest Posted January 17, 2008 Author Report Share Posted January 17, 2008 is it normal that the update function of utorrent 1.7.5 doesn't see the new version? Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 17, 2008 Report Share Posted January 17, 2008 Firon will take care of it <poke poke> <prod> Link to comment Share on other sites More sharing options...
Firon Posted January 17, 2008 Report Share Posted January 17, 2008 It's set on the beta updater only. I'll put it on the regular updater today. Link to comment Share on other sites More sharing options...
Ultima Posted January 18, 2008 Report Share Posted January 18, 2008 The point being to open the build a bit slowly to the public in case there are any major problems from the fix. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 18, 2008 Report Share Posted January 18, 2008 ... which would be what? If the only fixes are the 4 listed in the changelog there is no problem. Link to comment Share on other sites More sharing options...
Ultima Posted January 18, 2008 Report Share Posted January 18, 2008 Huh? Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 18, 2008 Report Share Posted January 18, 2008 It didn't effect the 1.6 line. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.