openSUSE Security Update: Security update for libtorrent-rasterbar, qbittorrent ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0391-1 Rating: moderate References: #1217677 Cross-References: CVE-2023-30801 CVSS scores: CVE-2023-30801 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libtorrent-rasterbar, qbittorrent fixes the following issues: Changes in libtorrent-rasterbar: - Update to version 2.0.9 * fix issue with web seed connections when they close and re-open * fallocate() not supported is not a fatal error * fix proxying of IPv6 connections via IPv4 proxy * treat CGNAT address range as local IPs * add stricter checking of piece layers when loading torrents * add stricter checking of v1 and v2 hashes being consistent * cache failed DNS lookups as well as successful ones * add an i2p torrent state to control interactions with clear swarms * fix i2p SAM protocol parsing of quoted messages * expose i2p peer destination in peer_info * fix i2p tracker announces * fix issue with read_piece() stopping torrent on pieces not yet downloaded * improve handling of allow_i2p_mixed setting to work for magnet links * fix web seed request for renamed single-file torrents * fix issue where web seeds could disappear from resume data * extend save_resume with additional conditional flags * fix issue with retrying trackers in tiers > 0 * fix last_upload and last_download resume data fields to use posix time * improve error messages for no_connect_privileged_ports, by untangle it from the port filter * fix I2P issue introduced in 2.0.0 * add async tracker status query, post_trackers() * add async torrent status query, post_status() * support loading version 2 of resume data format * fix issue with odd piece sizes * add async piece availability query, post_piece_availability() * add async download queue query, post_download_queue() * add async file_progress query, post_file_progress() * add async peer_info query, post_peer_info() - Update to version 2.0.8 * fix uTP streams timing out instead of closing cleanly * add write_torrent_file_buf() overload for generating .torrent files * add create_torrent::generate_buf() function to generate into a buffer * fix copy_file when the file ends with a sparse region * uTP performance, fix packet loss when sending is stalled * fix trackers being stuck after session pause/resume * fix bug in hash_picker with empty files * uTP performance, prevent premature timeouts/resends * add option to not memory map files below a certain size * settings_pack now returns default values when queried for missing settings * fix copy_file fall-back when SEEK_HOL/SEEK_DATA is not supported * improve error reporting from file copy and move * tweak pad file placement to match reference implementation (tail-padding) * uTP performance, more lenient nagle's algorithm to always allow one outstanding undersized packet * uTP performance, piggy-back held back undersized packet with ACKs * uTP performance, don't send redundant deferred ACKs * support incoming SOCKS5 packets with hostnames as source address, for UDP trackers * ignore duplicate network interface change notifications on linux * fix total_want/want accounting when forcing a recheck * fix merging metadata with magnet links added on top of existing torrents * add torrent_flag to default all file priorities to dont_download * fix &so= feature in magnet links * improve compatibility of SOCKS5 UDP ASSOCIATE * fix madvise range for flushing cache in mmap_storage * open files with no_cache set in O_SYNC mode - Update to version 2.0.7 * fix issue in use of copy_file_range() * avoid open-file race in the file_view_pool * fix issue where stop-when-ready would not close files * fix issue with duplicate hybrid torrent via separate v1 and v2 magnet links * added new function to load torrent files, load_torrent_*() * support sync_file_range() * fix issue in write_torrent_file() when file size is exactly piece size * fix file_num_blocks() and file_num_pieces() for empty files * add new overload to make_magnet_uri() * add missing protocol version to tracker_reply_alert and tracker_error_alert * fix privilege issue with SetFileValidData() * add asynchronous overload of torrent_handle::add_piece() * default to a single hashing thread, for full checks * Fix bug when checking files and the first piece is invalid Changes in qbittorrent, qbittorrent: - Update to version 4.6.2 Bug fixes: * Do not apply share limit if the previous one was applied * Show Add new torrent dialog on main window screen Web UI: * Fix JS memory leak * Disable stdout buffering for qbt-nox Wayland: * Fix parent widget of "Lock qBittorrent" submenu - Also fixes boo#1217677 (CVE-2023-30801, upstream reference gh#qbittorrent/qBittorrent#19738) - Update to version 4.6.1 New features: * Add option to enable previous Add new torrent dialog behavior Fixed bugs: * Prevent crash due to race condition when adding magnet link * Fix Enter key behavior when add new torrent * Add missing main window icon * Update size of selected files when selection is changed * Correctly handle changing save path of torrent w/o metadata * Use appropriate icon for "moving" torrents in transfer list Web UI: * Drop WebUI default credentials * Add I2P settings to WebUI * Fix duplicate scrollbar on Transfer List * Fix incorrect subcategory sorting * Correctly set save path in RSS rules * Allow to request torrents count via WebAPI * Improve performance of getting torrent numbers via WebAPI * Improve free disk space checking for WebAPI Misc: * Fix invisible tray icon with Qt5 in Linux - Update to version 4.6.0 New features: * Add (experimental) I2P support * Provide UI editor for the default theme * Various UI theming improvements * Implement torrent tags editing dialog * Revamp "Watched folder options" and "Automated RSS downloader" dialog * Allow to use another icons in dark mode * Allow to add new torrents to queue top * Allow to filter torrent list by save path * Expose 'socket send/receive buffer size' options * Expose 'max torrent file size' setting * Expose 'bdecode limits' settings * Add options to adjust behavior of merging trackers to existing torrent * Add option to stop seeding when torrent has been inactive * Allow to use proxy per subsystem * Expand the scope of "Proxy hostname lookup" option * Add shortcut for "Ban peer permanently" function * Add option to auto hide zero status filters * Allow to disable confirmation of Pause/Resume All * Add alternative shortcut CTRL+E for CTRL+F * Show filtered port numbers in logs * Add button to copy library versions to clipboard Bug fixes: * Ensure ongoing storage moving job will be completed when shutting down * Refactored many areas to call non UI blocking code * Various improvements to the SQLite backend * Improve startup window state handling * Use tray icon from system theme only if option is set * Inhibit system sleep while torrents are moving * Use hostname instead of domain name in tracker filter list * Visually validate input path in torrent creator dialog * Disable symlink resolving in Torrent creator * Change default value for `file pool size` and `stop tracker timeout` settings * Log when duplicate torrents are being added * Inhibit suspend instead of screen idle * Ensure file name is valid when exporting torrents * Open "Save path" if torrent has no metadata * Prevent torrent starting unexpectedly edge case with magnet * Better ergonomics of the "Add new torrent" dialog WebUI: * Add log viewer * WebAPI: Allow to specify session cookie name * Improve sync API performance * Add filelog settings * Add multi-file renaming * Add "Add to top of queue" option * Implement subcategories * Set "SameSite=None" if CSRF Protection is disabled * Show only hosts in tracker filter list * Set Connection status and Speed limits tooltips * set Cross Origin Opener Policy to `same-origin` * Fix response for HTTP HEAD method * Preserve the network interfaces when connection is down * Add "Add Tags" field for RSS rules * Fix missing error icon RSS: * Add "Rename rule" button to RSS Downloader * Allow to edit RSS feed URL * Allow to assign priority to RSS download rule Search: * Use python isolate mode * Bump python version minimum requirement to 3.7.0 Other: * Numerous code improvements and refactorings - Update to version 4.5.5 Bug fixes: * Fix transfer list tab hotkey * Don't forget to enable the Apply button in the Options dialog * Immediately update torrent status on moving files * Improve performance when scrolling the file list of large torrents * Don't operate on random torrents when multiple are selected and a sort/filter is applied RSS: * Fix overwriting feeds.json with an incomplete load of it - Update to version 4.5.4 Bug fixes: * Allow to disable confirmation of Pause/Resume All * Sync flag icons with upstream Web UI: * Fix category save path - Update to version 4.5.3 Bug fixes: * Correctly check if database needs to be updated * Prevent incorrect log message about torrent content deletion * Improve finished torrent handling * Correctly initialize group box children as disabled in Preferences * Don't miss saving "download path" in SQLite storage * Improve logging of running external program Web UI: * Disable UPnP for web UI by default * Use workaround for IOS file picker * Work around Chrome download limit * Improve 'exporting torrent' behavior - Update to version 4.5.2 Bug fixes: * Don't unexpectedly activate queued torrents when prefetching metadata for added magnets * Update the cached torrent state once recheck is started * Be more likely to allow the system to use power saving modes Web UI: * Migrate away from unsafe function * Blacklist bad ciphers for TLS in the server * Allow only TLS 1.2+ in the server * Allow to set read-only directory as torrent location * Reject requests that contain backslash in path RSS: * Prevent RSS folder from being moved into itself - Update to version 4.5.1 New features: * Re-allow to use icons from system theme Bug fixes: * Fix Speed limit icon size * Revise and fix some text colors * Correctly load folder based UI theme * Fix crash due to invalid encoding of tracker URLs * Don't drop !qB extension when renaming incomplete file * Correctly count the number of torrents in subcategories * Use "additional trackers" when metadata retrieving * Apply correct tab order to Category options dialog * Add all torrents passed via the command line * Fix startup performance on Qt5 * Automatic move will now overwrite existing files * Some fixes for loading Chinese locales * New Pause icon color for toolbar/menu * Adjust env variable for PDB discovery Web UI: * Fix missing "queued" icon * Return paths using platform-independent separator format * Change order of accepted types of file input * Add missing icons * Add "Resume data storage type" option * Make rename file dialog resizable * Prevent incorrect line breaking * Improve hotkeys * Remove suggestions while searching for torrents * Expose "IS PRIVATE" flag * Return name/hash/infohash_v1/infohash_v2 torrent properties Other: * Fix tray icon issues - Update to version 4.5.0 New features: * Add `Auto resize columns` functionality * Allow to use Category paths in `Manual` mode * Allow to disable Automatic mode when default "temp" path changed * Add tuning options related to performance warnings * Add right click menu for status filters * Allow setting the number of maximum active checking torrents * Add option to toggle filters sidebar * Allow to set `working set limit` on non-Windows OS * Add `Export .torrent` action * Add keyboard navigation keys * Allow to use POSIX-compliant disk IO type * Add `Filter files` field in new torrent dialog * Implement new icon/color theme * Add file name filter/blacklist * Add support for custom SMTP ports * Split the OS cache settings into Disk IO read/write modes * When duplicate torrent is added set metadata to existing one * Greatly improve startup time with many torrents * Add keyboard shortcut to Download URL dialog * Add ability to run external program on torrent added * Add infohash and download path columns * Allow to set torrent stop condition * Add a `Moving` status filter * Change color palettes for both dark, light themes * Add a `Use proxy for hostname lookup` option * Introduce a `change listen port` cmd option * Implement `Peer ID Client` column for `Peers` tab * Add port forwarding option for embedded tracker Bug fixes: * Store hybrid torrents using `torrent ID` as basename * Enable Combobox editor for the `Mixed` file download priority * Allow shortcut folders for the Open and Save directory dialogs * Rename content tab `Size` column to `Total Size` * Fix scrolling to the lowermost visible torrent * Allow changing file priorities for finished torrents * Focus save path when Manual mode is selected initially * Disable force reannounce when it is not possible * Add horizontal scrolling for tracker list and torrent content * Enlarge "speed limits" icons * Change Downloaded to Times Downloaded in trackers tab * Remove artificial max limits from `Torrent Queueing` related options * Preserve `skip hash check` when there is no metadata * Fix DHT/PeX/LSD status when it is globally disabled * Fix rate calculation when interval is too low * Add tooltip message when system tray icon isn't available * Improve sender field in mail notifications * Fix "Add torrent dialog" spill-over on smaller screens * Fix peer count issue when tracker responds with zero figure * Don't merge trackers by default * Don't inhibit system sleep/auto shutdown for torrents stuck at downloading metadata * Allow to pause a checking torrent from context menu * Allow to use subnet notation in reverse proxy list * Fine tune translations loading for Chinese locales * Fix torrent content checkboxes not updated properly * Correctly load state of `Use another path for incomplete torrents` in Watched folders * Add confirmation to resume/pause all * Fix wrong count of errored trackers WebUI: * Allow blank lines in multipart form-data input * Make various dialogs resizable * Fix wrong v2 hash string displayed * WebAPI: return correct status * Fix empty selection in language combobox * Store WebUI port setting in human readable number * Add support for exporting .torrent * WebAPI: Add endpoint to set speed limit mode * Improve progress bar rendering * Add transfer list refresh interval settings * Use natural sort * Apply i18n translation only to built-in WebUI * Alert when HTTPS settings are incomplete * Handle drag and drop events * Fix wrong behavior for shutdown action * Don't disable combobox for file priority RSS: * Increase limit of maximum number of articles per feed Other: * Mark as single window app in .desktop file * Add Dockerfile * Remove option of using icons from system theme - Update to version 4.4.5 Bug fixes: * Fix missing trackers when adding magnet link. Affects libtorrent 2.0.x builds. - Update to version 4.4.4. * Improve D-Bus notifications handling Bug fixes: * Correctly handle data decompression with Qt 6.3 * Fix wrong file names displayed in tooltip * Fix incorrect "max outgoing port" setting * Make working set limit available only on libtorrent 2.0.x builds * Try to recover missing tags RSS: * Clear RSS parsing error after use Web API: * Set HTTP method restriction on WebAPI actions - Update to version 4.4.3.1 Bug fixes: * Fix broken translations - Update to version 4.4.3 Bug fixes: * Correctly handle changing of temp save path * Fix storage in SQLite * Correctly apply content layout when "Skip hash check" is enabled * Don't corrupt IDs of v2 torrents * Reduce the number of hashing threads by default (improves hashing speed on HDDs) * Prevent the "update dialog" from blocking input on other windows * Add trackers in exported .torrent files * Fix wrong GUI behavior in "Optional IP address to bind to" setting Web UI: * Fix WebUI crash due to missing tags from config * Show correct location path Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-391=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-391=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 libtorrent-rasterbar-debugsource-2.0.9-bp155.2.3.1 libtorrent-rasterbar-devel-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-2.0.9-bp155.2.3.1 libtorrent-rasterbar2_0-debuginfo-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-2.0.9-bp155.2.3.1 python3-libtorrent-rasterbar-debuginfo-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (aarch64 ppc64le s390x x86_64): qbittorrent-4.6.2-bp155.2.3.1 qbittorrent-debuginfo-4.6.2-bp155.2.3.1 qbittorrent-debugsource-4.6.2-bp155.2.3.1 qbittorrent-nox-4.6.2-bp155.2.3.1 qbittorrent-nox-debuginfo-4.6.2-bp155.2.3.1 - openSUSE Backports SLE-15-SP5 (noarch): libtorrent-rasterbar-doc-2.0.9-bp155.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): libtorrent-rasterbar-devel-2.0.9-bp154.3.3.1 libtorrent-rasterbar2_0-2.0.9-bp154.3.3.1 python3-libtorrent-rasterbar-2.0.9-bp154.3.3.1 qbittorrent-4.6.2-bp154.3.3.1 qbittorrent-debuginfo-4.6.2-bp154.3.3.1 qbittorrent-debugsource-4.6.2-bp154.3.3.1 qbittorrent-nox-4.6.2-bp154.3.3.1 qbittorrent-nox-debuginfo-4.6.2-bp154.3.3.1 - openSUSE Backports SLE-15-SP4 (noarch): libtorrent-rasterbar-doc-2.0.9-bp154.3.3.1 References: https://www.suse.com/security/cve/CVE-2023-30801.html https://bugzilla.suse.com/1217677