Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 85380

Summary: net-p2p/limewire: Gnutella Disclosure of Sensitive Information
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: karsten.koetter, net-p2p
Priority: High Flags: plasmaroo: Approved+
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14555/
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-03-15 11:35:57 UTC 
Description:
Kevin Walsh has reported two vulnerabilities in LimeWire, which can be exploited by malicious people to disclose sensitive information.

1) An input validation error in the HTTP handling can be exploited to disclose the content of arbitrary files via a specially crafted request.

Example:
/gnutella/res/[file_with_absolute_path]

The vulnerability has been reported in versions 4.1.2 through 4.5.6.

2) An input validation error in the handling of "magnet" requests can be exploited to disclose the content of arbitrary files via directory traversal attacks.

Example:
/magnet10/../../[file]

The vulnerability has been reported in versions 3.9.6 through 4.6.0.

Solution:
Update to version 4.8 or later.
http://www.limewire.com/english/content/download.shtml
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-15 12:18:17 UTC 
net-p2p, please comment/bump
Comment 2 Omer Hasan 2005-03-21 15:53:37 UTC 
hey I wondering if this issue will be fixed soon considering it is a vulnerability in the application versus a feature update. 

Thanks.
Comment 3 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-21 23:34:44 UTC 
Bumped in portage
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-22 03:05:12 UTC 
Thks Karol,
x86: please test and mark stable
Comment 5 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-22 05:22:53 UTC 
*** Bug 85272 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 05:34:41 UTC 
x86/sekretarz: please test and mark x86-stable
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2005-03-28 18:51:07 UTC 
stable on x86, sorry for the delay
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-28 20:58:49 UTC 
This one is ready for GLSA vote. I tend to vote NO.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-03-28 23:58:13 UTC 
This can be used remotely to leak the contents of any file, I vote YES.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2005-03-30 06:56:14 UTC 
Vote++
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-03-31 03:56:13 UTC 
GLSA 200503-37