Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85380 - net-p2p/limewire: Gnutella Disclosure of Sensitive Information
Summary: net-p2p/limewire: Gnutella Disclosure of Sensitive Information
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14555/
Whiteboard: B4 [glsa] jaervosz
Keywords:
: 85272 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-15 11:35 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-03-31 03:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
plasmaroo: Approved+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-03-15 11:35:57 UTC
Description:
Kevin Walsh has reported two vulnerabilities in LimeWire, which can be exploited by malicious people to disclose sensitive information.

1) An input validation error in the HTTP handling can be exploited to disclose the content of arbitrary files via a specially crafted request.

Example:
/gnutella/res/[file_with_absolute_path]

The vulnerability has been reported in versions 4.1.2 through 4.5.6.

2) An input validation error in the handling of "magnet" requests can be exploited to disclose the content of arbitrary files via directory traversal attacks.

Example:
/magnet10/../../[file]

The vulnerability has been reported in versions 3.9.6 through 4.6.0.

Solution:
Update to version 4.8 or later.
http://www.limewire.com/english/content/download.shtml
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-15 12:18:17 UTC
net-p2p, please comment/bump
Comment 2 Omer Hasan 2005-03-21 15:53:37 UTC
hey I wondering if this issue will be fixed soon considering it is a vulnerability in the application versus a feature update. 

Thanks.
Comment 3 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-21 23:34:44 UTC
Bumped in portage
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-22 03:05:12 UTC
Thks Karol,
x86: please test and mark stable
Comment 5 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-22 05:22:53 UTC
*** Bug 85272 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 05:34:41 UTC
x86/sekretarz: please test and mark x86-stable
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2005-03-28 18:51:07 UTC
stable on x86, sorry for the delay
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-28 20:58:49 UTC
This one is ready for GLSA vote. I tend to vote NO.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-03-28 23:58:13 UTC
This can be used remotely to leak the contents of any file, I vote YES.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2005-03-30 06:56:14 UTC
Vote++
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-03-31 03:56:13 UTC
GLSA 200503-37