Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 288291 (CVE-2009-3575) - <=net-misc/aria2-0.15.3 Buffer overflow in DHTRoutingTableDeserializer.cc (CVE-2009-{3575,3617})
Summary: <=net-misc/aria2-0.15.3 Buffer overflow in DHTRoutingTableDeserializer.cc (CV...
Status: RESOLVED FIXED
Alias: CVE-2009-3575
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://qa.mandriva.com/show_bug.cgi?...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-09 11:55 UTC by Alex Legler (RETIRED)
Modified: 2010-01-13 22:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-09 11:55:08 UTC
CVE-2009-3575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3575):
  Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3,
  1.2.0, and other versions allows remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via unknown
  vectors.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-09 11:55:47 UTC
Can we go stable with aria2-1.5.2?
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 22:14:40 UTC
A vulnerability was now found in 1.5.2 as well. Backporting the patch would be fairly simple (as it's only about removing a single line), but I would suggest following upstream and bumping to 1.6.2 and stabilizing that.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 22:18:22 UTC
CVE-2009-3617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3617):
  Format string vulnerability in the AbstractCommand::onAbort function
  in src/AbstractCommand.cc in aria2 before 1.6.2, when logging is
  enabled, allows remote attackers to execute arbitrary code or cause a
  denial of service (application crash) via format string specifiers in
  a download URI.  NOTE: some of these details are obtained from third
  party information.

Comment 4 Tiziano Müller gentoo-dev 2009-11-03 09:01:55 UTC
1.6.3 is in the tree, all tests pass.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-03 12:45:32 UTC
(In reply to comment #4)
> 1.6.3 is in the tree, all tests pass.
> 

Thank you. I just noticed 1.6.2 has been in the tree since 11 Oct as well. Do you want 1.6.2 or 1.6.3 to go stable now?
Comment 6 Tiziano Müller gentoo-dev 2009-11-03 13:50:12 UTC
1.6.3 contains more bugfixes, so go for 1.6.3 if possible
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-03 14:51:46 UTC
Arches, please test and mark stable:
=net-misc/aria2-1.6.3
Target keywords : "amd64 x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-03 19:32:02 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2009-11-04 11:26:13 UTC
amd64 stable, all arches done.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 09:28:01 UTC
Request filed.
Comment 11 Tiziano Müller gentoo-dev 2009-11-14 10:35:51 UTC
... and vulnerable version is gone.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:15:26 UTC
GLSA 201001-06, thanks everyone.