Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260072 - <net-p2p/mldonkey-3.0.0: arbitrary file disclosure vulnerability (CVE-2009-0753)
Summary: <net-p2p/mldonkey-3.0.0: arbitrary file disclosure vulnerability (CVE-2009-0753)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://savannah.nongnu.org/bugs/?25667
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: built_with_use
  Show dependency tree
 
Reported: 2009-02-23 22:07 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-23 22:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 22:07:14 UTC
Quoting from http://www.milw0rm.com/exploits/8097:
MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 22:09:41 UTC
Arches, please test and mark stable:
=net-p2p/mldonkey-2.9.7
Target keywords : "amd64 hppa ppc x86"
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-24 10:12:01 UTC
How exactly does 2.9.7 fix this bug? Also, it is not properly tracked in the Security product.
Comment 3 spiralvoice 2009-02-24 22:22:26 UTC
The security bug is present in MLDonkey >= 2.8.4 to <= 2.9.7 and was fixed today in MLDonkey 3.0.0
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 12:30:52 UTC
http://sourceforge.net/forum/forum.php?forum_id=922717
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2009-02-25 20:18:21 UTC
=net-p2p/mldonkey-3.0.0 in the tree
Arches: amd64 hppa ppc x86
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 20:28:17 UTC
Arches, please test and mark stable:
=net-p2p/mldonkey-3.0.0
Target keywords : "amd64 hppa ppc x86"
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-02-26 15:08:16 UTC
x86 stable
Comment 8 Jeroen Roovers gentoo-dev 2009-02-27 09:44:11 UTC
Stable for HPPA.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 17:08:21 UTC
CVE-2009-0753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0753):
  Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7
  allows remote attackers to read arbitrary files via a leading "//"
  (double slash) in the filename.

Comment 10 Markus Meier gentoo-dev 2009-03-07 14:28:34 UTC
amd64 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-03-18 22:26:46 UTC
ppc done
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-22 20:17:23 UTC
Ready for vote, I vote YES.
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-22 20:26:25 UTC
YES, request filed.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-23 22:13:06 UTC
GLSA 200903-36