|Summary:||MLDonkey: remote arbitrary file disclosure via a GET request with more than one leading / (slash) character in the filename.|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NEXTRELEASE||QA Contact:|
|Version:||unspecified||CC:||lemenkov, rjones, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-03-07 15:25:23 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Jan Lieskovsky 2009-02-24 13:49:44 UTC
The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7 and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar vulnerability than CVE-1999-1456. References: https://savannah.nongnu.org/bugs/?25667 http://bugs.gentoo.org/show_bug.cgi?id=260072 http://www.milw0rm.com/exploits/8097
Comment 1 Jan Lieskovsky 2009-02-24 13:52:54 UTC
Created attachment 333045 [details] Testing patch (please verify its function and correctness).
Comment 2 Jan Lieskovsky 2009-02-24 13:53:40 UTC
This issue affects all versions of the mldonkey package, as shipped with Fedora releases of 9, 10, and devel. Please fix.
Comment 4 Richard W.M. Jones 2009-02-24 23:06:24 UTC
FYI here's the Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
Comment 5 Richard W.M. Jones 2009-02-24 23:26:13 UTC
I looked at mldonkey somewhat baffled trying to work out how to make it do anything *at all* .. and couldn't work it out. So I'm afraid I couldn't reproduce the supposed security bug. However I have looked at the patch in comment 1, and I looked at how it fitted in with the existing code, and the patch appears reasonable to me. I also applied it to mldonkey 2.9.7 from Rawhide and built a new RPM, and it builds without error. (I have not committed anything to Rawhide or any other branch).
Comment 6 Richard W.M. Jones 2009-02-26 09:31:49 UTC
Built for Rawhide, F-10 and F-9. Build fails on EL-4 and EL-5, but this package was never built in those branches (although it was imported) and can't be built because of the too old version of OCaml.
Comment 7 Fedora Update System 2009-02-26 09:34:27 UTC
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc10
Comment 8 Fedora Update System 2009-02-26 09:53:43 UTC
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc9
Comment 9 Fedora Update System 2009-02-26 15:32:53 UTC
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-02-26 15:34:19 UTC
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Peter Lemenkov 2009-03-03 18:01:20 UTC
*** Bug 488304 has been marked as a duplicate of this bug. ***
Comment 12 Peter Lemenkov 2009-03-03 18:01:48 UTC
*** Bug 488305 has been marked as a duplicate of this bug. ***
Comment 13 Peter Lemenkov 2009-03-03 18:01:57 UTC
*** Bug 488306 has been marked as a duplicate of this bug. ***
Comment 14 Peter Lemenkov 2009-03-07 15:25:23 UTC
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.