Summary: | <net-p2p/amule-2.2.5 Argument injection (CVE-2009-1440) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-p2p, patrick, phmagic |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-05-01 20:14:07 UTC
From the debian bug: src/DownloadListCtrl.cpp does the following (code edited for clarification): command = wxT("xterm -T \"aMule Preview\" -iconic -e mplayer '$file'"); [...] wxString rawFileName = file->GetFullName().GetRaw(); command.Replace(wxT("$file"), rawFileName); [...] wxExecute(command, wxEXEC_ASYNC, p); Although file->GetFullName() is sanitised by removing :/<> and probably other characters, the single tick (') is neither filtered away nor escaped. Thus it is possible to craft a file name that passes remotely defined arguments to the video player. Sounds like more than B3. Unfortunately, there does not seem to be patch, yet... + 24 May 2009; Patrick Lauer <patrick@gentoo.org> +amule-2.2.5.ebuild: + Bump to 2.2.5, fixes #270060 2.2.5 seems to fix this issue according to upstream. Arches, please test and mark stable: =net-p2p/amule-2.2.5 Target keywords : "alpha amd64 hppa ppc ppc64 x86" Stable for HPPA. Stable on alpha. ppc stable x86 stable ppc64 done amd64 stable, all arches done. GLSA 200909-06 According to aMule Changelog (http://wiki.amule.org/index.php/Changelog_2.2.6), this security issue is "really fixed" in 2.2.6, which is now masked. Sorry, if I create unnecessary noise but I believe this deserves attention. |