possible CVE request: rb_libtorrent opens UPNP port 0

["Vincent Danen" <vdanen () redhat com>]

It was brought to my attention today that a potential flaw in rb_libtorrent exists where it will open UPNP port 0, 
which (by the description of the issue) opens all ports to the system running rb_libtorrent via the given firewall (so 
even if you had, say, only port 22 open to the machine to start, fire up an application using rb_libtorrent such as 
qbittorrent, and all ports are forwarding to that machine).

I can't find any references on whether or not this is part of the UPNP spec or known behaviour, however.  Either way, I 
suppose that anyone running such a bittorrent client isn't expecting that all ports start forwarding (but, as a result, 
I'm not sure if this is malfunctioning firewall which is where knowing whether or not this is according to spec would 
be good).

So I'm not just asking for a CVE, but whether or not it's a flaw (I don't know enough about UPNP to hazard a guess).

Here's some references:

https://github.com/qbittorrent/qBittorrent/issues/1758
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134652.html
https://bugs.mageia.org/show_bug.cgi?id=13582


-- 
Vincent Danen / Red Hat Product Security

Attachment: signature.asc
Description: OpenPGP digital signature