Ubuntu
mldonkey package

MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure Vuln

Bug #340166 reported by big one
276
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mldonkey (Debian)
Fix Released
Unknown
mldonkey (Ubuntu)
Fix Released
Critical
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Undecided
Unassigned

Bug Description

http://www.milw0rm.com/exploits/8097

MLdonkey (up to 2.9.7) has a vulnerability that allows remote user to access any
file with rights of running Mldonkey daemon by supplying a
special-crafted request (ok, there's not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd

# milw0rm.com [2009-02-23]

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Possible upstream patch is https://savannah.nongnu.org/patch/download.php?file_id=17518 (but see upstream bug for more information).

Changed in mldonkey:
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in mldonkey:
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mldonkey - 2.9.5-2ubuntu1

---------------
mldonkey (2.9.5-2ubuntu1) jaunty; urgency=low

  * fetch debian/patches/url.dpatch from debian's git.
    Fixes HTTP DOUBLE SLASH Arbitrary File Disclosure Vuln
    LP: #340166

 -- Reinhard Tartler <email address hidden> Thu, 19 Mar 2009 10:42:42 +0100

Changed in mldonkey:
status: Confirmed → Fix Released
Revision history for this message
Reinhard Tartler (siretart) wrote :

the patch should really be included in hardy-security and intrepid-security as well...

Changed in mldonkey (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Jens Braeuer (jens-braeuer) wrote :

I agree with Reinhard, this patch should _really_ be included in hardy as it will be used for a long time. And please put it in intrepid too!

Thanks a lot!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in mldonkey:
status: New → Confirmed
status: New → Confirmed
Revision history for this message
Jens Braeuer (jens-braeuer) wrote :

Please find the attached debdiff for hardy.

I verified the version 2.9.2-1 in hardy is vulnerable and also verified the patch fixed the described problem. Double-Slash now results in Status 404.

Regards,
Jens

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff Jens. Packages are being built.
I changed the version number in your debdiff as per security update conventions here: https://wiki.ubuntu.com/SecurityUpdateProcedures

Intrepid still needs a debdiff, do you think you could make one?

Thanks.

Changed in mldonkey:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mldonkey - 2.9.2-2ubuntu0.1

---------------
mldonkey (2.9.2-2ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: fetch debian/patches/url.dpatch from debian's git.
    Fixes HTTP DOUBLE SLASH Arbitrary File Disclosure Vuln
    LP: #340166
    CVE-2009-0753

 -- Jens Braeuer <email address hidden> Mon, 23 Mar 2009 16:38:41 +0000

Changed in mldonkey:
status: Fix Committed → Fix Released
Revision history for this message
Jens Braeuer (jens-braeuer) wrote :

Marc, here comes the debdiff for intrepid.

Regards, Jens

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff Jens, packages are building now.

Changed in mldonkey (Ubuntu Intrepid):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mldonkey - 2.9.5-1ubuntu0.1

---------------
mldonkey (2.9.5-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: fetch debian/patches/url.dpatch from debian's git.
    Fixes HTTP DOUBLE SLASH Arbitrary File Disclosure Vuln
    LP: #340166
    CVE-2009-0753

 -- Jens Braeuer <email address hidden> Tue, 24 Mar 2009 08:27:22 +0100

Changed in mldonkey:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.