Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 320975 (CVE-2010-1512)

Summary: net-misc/aria2: directory traversal (CVE-2010-1512)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: dev-zero
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.sourceforge.net/project/aria2/stable/aria2-1.9.3/NEWS
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:40:33 UTC
CVE-2010-1512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1512):
  Directory traversal vulnerability in aria2 before 1.9.3 allows remote
  attackers to create arbitrary files via directory traversal sequences
  in the name attribute of a file element in a metalink file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:41:41 UTC
Can 1.9.3 go stable?
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2010-05-22 05:24:48 UTC
Yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-22 11:00:08 UTC
Arches, please test and mark stable:

=net-misc/aria2-1.9.3
Target keywords : "amd64 x86"

BTW: If the security team asks if something can go stable, adding arches is a valid reply, as it makes the process of security bug handling faster. :)
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2010-05-22 18:25:38 UTC
amd64 stable.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-05-23 14:23:49 UTC
x86 stable, all archs done
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-23 20:17:06 UTC
GLSA request filed.
Comment 7 Tiziano Müller (RETIRED) gentoo-dev 2010-06-05 05:41:27 UTC
vulnerable versions removed.
Comment 8 Tiziano Müller (RETIRED) gentoo-dev 2010-08-30 05:25:04 UTC
ping?
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2011-01-15 21:49:00 UTC
GLSA 201101-04, thanks everyone.