Description: Kevin Walsh has reported two vulnerabilities in LimeWire, which can be exploited by malicious people to disclose sensitive information. 1) An input validation error in the HTTP handling can be exploited to disclose the content of arbitrary files via a specially crafted request. Example: /gnutella/res/[file_with_absolute_path] The vulnerability has been reported in versions 4.1.2 through 4.5.6. 2) An input validation error in the handling of "magnet" requests can be exploited to disclose the content of arbitrary files via directory traversal attacks. Example: /magnet10/../../[file] The vulnerability has been reported in versions 3.9.6 through 4.6.0. Solution: Update to version 4.8 or later. http://www.limewire.com/english/content/download.shtml
net-p2p, please comment/bump
hey I wondering if this issue will be fixed soon considering it is a vulnerability in the application versus a feature update. Thanks.
Bumped in portage
Thks Karol, x86: please test and mark stable
*** Bug 85272 has been marked as a duplicate of this bug. ***
x86/sekretarz: please test and mark x86-stable
stable on x86, sorry for the delay
This one is ready for GLSA vote. I tend to vote NO.
This can be used remotely to leak the contents of any file, I vote YES.
Vote++
GLSA 200503-37