Security issue allows code execution, CVE-2009-1440
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
amule (Debian) |
Fix Released
|
Unknown
|
|||
amule (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Hardy |
Fix Released
|
High
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Unassigned | ||
Jaunty |
Fix Released
|
High
|
Unassigned | ||
Karmic |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: amule
The presumably fixed CVE-2009-1440 is not fixed after all. Quoting the debian report:
"Unfortunately it doesn't work properly. It looks like upstream didn't
even bother to test the fix.
Quick (and harmless) way to simulate an attack and reproduce the bug:
- run amule from the command line
- set video player to "vlc" in the preferences
- start downloading a file (use the search tool to find a small
txt file)
- pause download using right click -> Pause
- rename file to '-vvvv.avi (with a leading tick) using right
click -> Show File Details
- resume download, wait for completion
- double click on the file
- you should see VLC's very verbose debug messages in amule's console,
indicating that it has been called with -vvvv.avi as an extra
argument, increasing its verbosity
The following fix works, though (tested with 2.2.5):
rawFileNam
"
(End of quote)
I uploaded a package with the fix to karmic and will try to provide fixes for jaunty, intrepid and hardy.
CVE References
visibility: | private → public |
Changed in amule (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in amule (Ubuntu Karmic): | |
status: | Triaged → Fix Released |
Changed in amule (Ubuntu Jaunty): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in amule (Ubuntu Intrepid): | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in amule (Debian): | |
status: | Unknown → Fix Released |
Changed in amule (Ubuntu Hardy): | |
status: | Confirmed → In Progress |
Changed in amule (Ubuntu Intrepid): | |
status: | Confirmed → In Progress |
Changed in amule (Ubuntu Jaunty): | |
status: | Confirmed → In Progress |
Changed in amule (Ubuntu Intrepid): | |
status: | In Progress → Fix Committed |
Changed in amule (Ubuntu Jaunty): | |
status: | In Progress → Fix Committed |
Changed in amule (Ubuntu Hardy): | |
status: | Incomplete → In Progress |
Changed in amule (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
debdiff for jaunty
amule (2.2.4-1ubuntu1.1) jaunty-security; urgency=low
* Security Update (LP: #396807) patches/ CVE-2009- 1440.patch to fix possible code execution
* add debian/
-- Andreas Moog <email address hidden> Wed, 08 Jul 2009 01:59:01 +0200