Archive for June, 2009

EL/LAK developer conference update

[ posted by argp on 29.06.2009 ]

The slides from our secure programming in C talk at the 4th Greek Free/Open Source Developer Conference are now available at the research section.

Secure programming in C talk at the EL/LAK developer conference

[ posted by census on 10.06.2009 ]

census will be participating in the 4th Greek Free/Open Source Developer Conference organized by EL/LAK in Athens, Greece on the 19th and 20th of June!

Our talk on Saturday will focus on security issues that manifest during software development using the C programming language. Although there has been extensive coverage of this topic in the past, our presentation will provide an up-to-date analysis of programming bugs that potentially lead to security issues.

During the lunch break on Saturday there will also be a PGP/CACert key signing party. See here for more details (in Greek).

We hope to see you there!

Rasterbar libtorrent arbitrary file overwrite vulnerability

[ posted by dimitris on 08.06.2009 ]

census ID:	census-2009-0002
CVE ID:	CVE-2009-1760
Affected Products:	Any application that uses the Rasterbar Software libtorrent library (versions ≤ 0.14.3) for BitTorrent file downloads.
Class:	Relative Path Traversal (CWE-23), Improper Handling of Syntactically Invalid Structure (CWE-228)
Remote:	Yes
Discovered by:	Dimitris Glynos

We have discovered an “arbitrary file overwrite” vulnerability in libtorrent that allows an attacker to create and modify arbitrary files (and directories) in remote systems, with the effective rights of the user executing the vulnerable libtorrent-based application.