260072 – <net-p2p/mldonkey-3.0.0: arbitrary file disclosure vulnerability (CVE-2009-0753)

Bug 260072 - <net-p2p/mldonkey-3.0.0: arbitrary file disclosure vulnerability (CVE-2009-0753)

Summary: <net-p2p/mldonkey-3.0.0: arbitrary file disclosure vulnerability (CVE-2009-0753)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://savannah.nongnu.org/bugs/?25667
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:	built_with_use
	Show dependency tree

Reported:	2009-02-23 22:07 UTC by Stefan Behte (RETIRED)
Modified:	2009-03-23 22:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2009-02-23 22:07:14 UTC

Quoting from http://www.milw0rm.com/exploits/8097:
MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-02-23 22:09:41 UTC

Arches, please test and mark stable:
=net-p2p/mldonkey-2.9.7
Target keywords : "amd64 hppa ppc x86"

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-02-24 10:12:01 UTC

How exactly does 2.9.7 fix this bug? Also, it is not properly tracked in the Security product.

Comment 3 spiralvoice 2009-02-24 22:22:26 UTC

The security bug is present in MLDonkey >= 2.8.4 to <= 2.9.7 and was fixed today in MLDonkey 3.0.0

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-02-25 12:30:52 UTC

http://sourceforge.net/forum/forum.php?forum_id=922717

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2009-02-25 20:18:21 UTC

=net-p2p/mldonkey-3.0.0 in the tree
Arches: amd64 hppa ppc x86

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2009-02-25 20:28:17 UTC

Arches, please test and mark stable:
=net-p2p/mldonkey-3.0.0
Target keywords : "amd64 hppa ppc x86"

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2009-02-26 15:08:16 UTC

x86 stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-27 09:44:11 UTC

Stable for HPPA.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2009-03-04 17:08:21 UTC

CVE-2009-0753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0753):
  Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7
  allows remote attackers to read arbitrary files via a leading "//"
  (double slash) in the filename.

Comment 10 Markus Meier gentoo-dev

2009-03-07 14:28:34 UTC

amd64 stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2009-03-18 22:26:46 UTC

ppc done

Comment 12 Tobias Heinlein (RETIRED) gentoo-dev

2009-03-22 20:17:23 UTC

Ready for vote, I vote YES.

Comment 13 Alex Legler (RETIRED) archtester

2009-03-22 20:26:25 UTC

YES, request filed.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2009-03-23 22:13:06 UTC

GLSA 200903-36