CVE-2009-1440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1440): Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule 2.2.4 allows remote attackers to conduct argument injection attacks into a command for mplayer via a crafted filename.
From the debian bug: src/DownloadListCtrl.cpp does the following (code edited for clarification): command = wxT("xterm -T \"aMule Preview\" -iconic -e mplayer '$file'"); [...] wxString rawFileName = file->GetFullName().GetRaw(); command.Replace(wxT("$file"), rawFileName); [...] wxExecute(command, wxEXEC_ASYNC, p); Although file->GetFullName() is sanitised by removing :/<> and probably other characters, the single tick (') is neither filtered away nor escaped. Thus it is possible to craft a file name that passes remotely defined arguments to the video player. Sounds like more than B3. Unfortunately, there does not seem to be patch, yet...
+ 24 May 2009; Patrick Lauer <patrick@gentoo.org> +amule-2.2.5.ebuild: + Bump to 2.2.5, fixes #270060 2.2.5 seems to fix this issue according to upstream.
Arches, please test and mark stable: =net-p2p/amule-2.2.5 Target keywords : "alpha amd64 hppa ppc ppc64 x86"
Stable for HPPA.
Stable on alpha.
ppc stable
x86 stable
ppc64 done
amd64 stable, all arches done.
GLSA 200909-06
According to aMule Changelog (http://wiki.amule.org/index.php/Changelog_2.2.6), this security issue is "really fixed" in 2.2.6, which is now masked. Sorry, if I create unnecessary noise but I believe this deserves attention.