Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 320975 (CVE-2010-1512) - net-misc/aria2: directory traversal (CVE-2010-1512)
Summary: net-misc/aria2: directory traversal (CVE-2010-1512)
Status: RESOLVED FIXED
Alias: CVE-2010-1512
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://downloads.sourceforge.net/proj...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-21 22:40 UTC by Stefan Behte (RETIRED)
Modified: 2011-01-15 21:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:40:33 UTC 
CVE-2010-1512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1512):
  Directory traversal vulnerability in aria2 before 1.9.3 allows remote
  attackers to create arbitrary files via directory traversal sequences
  in the name attribute of a file element in a metalink file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-21 22:41:41 UTC 
Can 1.9.3 go stable?
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2010-05-22 05:24:48 UTC 
Yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-22 11:00:08 UTC 
Arches, please test and mark stable:

=net-misc/aria2-1.9.3
Target keywords : "amd64 x86"

BTW: If the security team asks if something can go stable, adding arches is a valid reply, as it makes the process of security bug handling faster. :)
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2010-05-22 18:25:38 UTC 
amd64 stable.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-05-23 14:23:49 UTC 
x86 stable, all archs done
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-23 20:17:06 UTC 
GLSA request filed.
Comment 7 Tiziano Müller (RETIRED) gentoo-dev 2010-06-05 05:41:27 UTC 
vulnerable versions removed.
Comment 8 Tiziano Müller (RETIRED) gentoo-dev 2010-08-30 05:25:04 UTC 
ping?
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2011-01-15 21:49:00 UTC 
GLSA 201101-04, thanks everyone.