Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674622 (CVE-2019-3500) - <net-misc/aria2-1.34.0-r1: metadata and potential password leaks
Summary: <net-misc/aria2-1.34.0-r1: metadata and potential password leaks
Status: RESOLVED FIXED
Alias: CVE-2019-3500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/aria2/aria2/issues...
Whiteboard: C4 [noglsa cve]
Keywords:
: 679482 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-01-05 17:41 UTC by D'juan McDonald (domhnall)
Modified: 2019-04-20 02:08 UTC (History)
3 users (show)

See Also:
Package list:
net-misc/aria2-1.34.0-r1
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-01-05 17:41:04 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-3500):
aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.


Upstream Patch: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a

Gentoo Security Padawan
(domhnall)
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-04-05 15:45:18 UTC 
*** Bug 679482 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2019-04-05 17:13:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0e0415382f55c1c392facd407a21555b6b55c8c

commit e0e0415382f55c1c392facd407a21555b6b55c8c
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-04-05 17:13:34 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-04-05 17:13:45 +0000

    net-misc/aria2: Backport the fix for CVE-2019-3500
    
    Backport fix for potential password leakage in logs (CVE-2019-3500).
    Ideally this would be a fresh snapshot but autoreconf fails on aria2
    git.
    
    Bug: https://bugs.gentoo.org/674622
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-misc/aria2/aria2-1.34.0-r1.ebuild              | 155 +++++++++++++++++++++
 .../aria2/files/aria2-1.34.0-mask-headers.patch    |  46 ++++++
 2 files changed, 201 insertions(+)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-06 16:48:31 UTC 
@maintainer(s), please let us know when you are ready to stabilize.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 07:14:25 UTC 
Let's go for it.
Comment 5 Agostino Sarubbo gentoo-dev 2019-04-07 14:44:42 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-08 02:19:09 UTC 
x86 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-04-20 02:08:29 UTC 
Tree is clean