Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 268163 (CVE-2009-1440)

Summary: <net-p2p/amule-2.2.5 Argument injection (CVE-2009-1440)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-p2p, patrick, phmagic
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 20:14:07 UTC
CVE-2009-1440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1440):
  Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule
  2.2.4 allows remote attackers to conduct argument injection attacks
  into a command for mplayer via a crafted filename.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-06 22:14:42 UTC
From the debian bug:

   src/DownloadListCtrl.cpp does the following (code edited for
clarification):

command = wxT("xterm -T \"aMule Preview\" -iconic -e mplayer '$file'");
[...]
wxString rawFileName = file->GetFullName().GetRaw();
command.Replace(wxT("$file"), rawFileName);
[...]
wxExecute(command, wxEXEC_ASYNC, p);

   Although file->GetFullName() is sanitised by removing :/<> and
probably other characters, the single tick (') is neither filtered
away nor escaped. Thus it is possible to craft a file name that
passes remotely defined arguments to the video player.

Sounds like more than B3. Unfortunately, there does not seem to be patch, yet...
Comment 2 Patrick Lauer gentoo-dev 2009-05-24 18:38:53 UTC
+  24 May 2009; Patrick Lauer <patrick@gentoo.org> +amule-2.2.5.ebuild:                             
+  Bump to 2.2.5, fixes #270060  

2.2.5 seems to fix this issue according to upstream.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-17 09:43:01 UTC
Arches, please test and mark stable:
=net-p2p/amule-2.2.5
Target keywords : "alpha amd64 hppa ppc ppc64 x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-18 14:49:16 UTC
Stable for HPPA.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-07-19 16:34:48 UTC
Stable on alpha.
Comment 6 nixnut (RETIRED) gentoo-dev 2009-07-19 18:40:22 UTC
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-07-20 14:23:53 UTC
x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-07-26 12:43:08 UTC
ppc64 done
Comment 9 Markus Meier gentoo-dev 2009-07-27 22:08:35 UTC
amd64 stable, all arches done.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-09 13:34:15 UTC
GLSA 200909-06
Comment 11 Alexander Bezrukov 2009-10-25 12:13:10 UTC
According to aMule Changelog (http://wiki.amule.org/index.php/Changelog_2.2.6), this security issue is "really fixed" in 2.2.6, which is now masked. Sorry, if I create unnecessary noise but I believe this deserves attention.