diff -Nru transmission-2.82/debian/changelog transmission-2.82/debian/changelog
--- transmission-2.82/debian/changelog	2014-03-07 09:50:51.000000000 +0000
+++ transmission-2.82/debian/changelog	2014-07-11 18:09:45.000000000 +0000
@@ -1,3 +1,14 @@
+transmission (2.82-1.1ubuntu4) utopic; urgency=medium
+
+  * SECURITY UPDATE: denial of service and possible code execution via
+    overflow in tr_bitfieldEnsureNthBitAlloced
+    - debian/patches/CVE-2014-4909.patch: properly handle bitfields in
+      libtransmission/bitfield.c, handle invalid blocks in
+      libtransmission/peer-msgs.c.
+    - CVE-2014-4909
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 11 Jul 2014 14:07:01 -0400
+
 transmission (2.82-1.1ubuntu3) trusty; urgency=medium
 
   * Rebuild to solve a powerpc dependency problem.
diff -Nru transmission-2.82/debian/patches/CVE-2014-4909.patch transmission-2.82/debian/patches/CVE-2014-4909.patch
--- transmission-2.82/debian/patches/CVE-2014-4909.patch	1970-01-01 00:00:00.000000000 +0000
+++ transmission-2.82/debian/patches/CVE-2014-4909.patch	2014-07-11 18:10:25.000000000 +0000
@@ -0,0 +1,107 @@
+Description: fix denial of service and possible code execution via
+ overflow in tr_bitfieldEnsureNthBitAlloced
+Origin: upstream, https://trac.transmissionbt.com/changeset/14303
+
+Index: transmission-2.82/libtransmission/bitfield.c
+===================================================================
+--- transmission-2.82.orig/libtransmission/bitfield.c	2013-08-08 22:45:45.094416272 -0400
++++ transmission-2.82/libtransmission/bitfield.c	2014-07-11 14:06:27.012968716 -0400
+@@ -170,7 +170,7 @@
+ static size_t
+ get_bytes_needed (size_t bit_count)
+ {
+-  return (bit_count + 7u) / 8u;
++  return (bit_count >> 3) + (bit_count & 7 ? 1 : 0);
+ }
+ 
+ static void
+@@ -231,11 +231,16 @@
+     }
+ }
+ 
+-static void
++static bool
+ tr_bitfieldEnsureNthBitAlloced (tr_bitfield * b, size_t nth)
+ {
+   /* count is zero-based, so we need to allocate nth+1 bits before setting the nth */
++
++  if (nth == SIZE_MAX)
++    return false;
++
+   tr_bitfieldEnsureBitsAlloced (b, nth + 1);
++  return true;
+ }
+ 
+ static void
+@@ -368,9 +373,8 @@
+ void
+ tr_bitfieldAdd (tr_bitfield * b, size_t nth)
+ {
+-  if (!tr_bitfieldHas (b, nth))
++  if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
+     {
+-      tr_bitfieldEnsureNthBitAlloced (b, nth);
+       b->bits[nth >> 3u] |= (0x80 >> (nth & 7u));
+       tr_bitfieldIncTrueCount (b, 1);
+     }
+@@ -396,7 +400,9 @@
+   eb = end >> 3;
+   em = 0xff << (7 - (end & 7));
+ 
+-  tr_bitfieldEnsureNthBitAlloced (b, end);
++  if (!tr_bitfieldEnsureNthBitAlloced (b, end))
++    return;
++
+   if (sb == eb)
+     {
+       b->bits[sb] |= (sm & em);
+@@ -417,9 +423,8 @@
+ {
+   assert (tr_bitfieldIsValid (b));
+ 
+-  if (!tr_bitfieldHas (b, nth))
++  if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
+     {
+-      tr_bitfieldEnsureNthBitAlloced (b, nth);
+       b->bits[nth >> 3u] &= (0xff7f >> (nth & 7u));
+       tr_bitfieldIncTrueCount (b, -1);
+     }
+@@ -446,7 +451,9 @@
+   eb = end >> 3;
+   em = ~ (0xff << (7 - (end & 7)));
+ 
+-  tr_bitfieldEnsureNthBitAlloced (b, end);
++  if (!tr_bitfieldEnsureNthBitAlloced (b, end))
++    return;
++
+   if (sb == eb)
+     {
+       b->bits[sb] &= (sm | em);
+Index: transmission-2.82/libtransmission/peer-msgs.c
+===================================================================
+--- transmission-2.82.orig/libtransmission/peer-msgs.c	2013-08-08 22:45:40.294416158 -0400
++++ transmission-2.82/libtransmission/peer-msgs.c	2014-07-11 14:06:27.016968716 -0400
+@@ -36,6 +36,10 @@
+ #include "variant.h"
+ #include "version.h"
+ 
++#ifndef EBADMSG
++ #define EBADMSG EINVAL
++#endif
++
+ /**
+ ***
+ **/
+@@ -1696,6 +1700,12 @@
+     assert (msgs);
+     assert (req);
+ 
++    if (!requestIsValid (msgs, req)) {
++        dbgmsg (msgs, "dropping invalid block %u:%u->%u",
++                req->index, req->offset, req->length);
++        return EBADMSG;
++    }
++
+     if (req->length != tr_torBlockCountBytes (msgs->torrent, block)) {
+         dbgmsg (msgs, "wrong block size -- expected %u, got %d",
+                 tr_torBlockCountBytes (msgs->torrent, block), req->length);
diff -Nru transmission-2.82/debian/patches/series transmission-2.82/debian/patches/series
--- transmission-2.82/debian/patches/series	2013-09-14 22:48:50.000000000 +0000
+++ transmission-2.82/debian/patches/series	2014-07-11 18:06:17.000000000 +0000
@@ -1,2 +1,3 @@
 systemd_service_fixes.patch
 fix_freebsd_quota_include.patch
+CVE-2014-4909.patch