Bug 487132

Summary: MLDonkey: remote arbitrary file disclosure via a GET request with more than one leading / (slash) character in the filename.
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: lemenkov, rjones, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://savannah.nongnu.org/bugs/?25667
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-07 15:25:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Testing patch (please verify its function and correctness). none

Description Jan Lieskovsky 2009-02-24 13:49:44 UTC 
The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7
and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar
vulnerability than CVE-1999-1456.

References:
https://savannah.nongnu.org/bugs/?25667
http://bugs.gentoo.org/show_bug.cgi?id=260072
http://www.milw0rm.com/exploits/8097
Comment 1 Jan Lieskovsky 2009-02-24 13:52:54 UTC 
Created attachment 333045 [details]
Testing patch (please verify its function and correctness).
Comment 2 Jan Lieskovsky 2009-02-24 13:53:40 UTC 
This issue affects all versions of the mldonkey package, as shipped with
Fedora releases of 9, 10, and devel.

Please fix.
Comment 3 Jan Lieskovsky 2009-02-24 13:54:09 UTC 
PoC:

http://www.milw0rm.com/exploits/8097
Comment 4 Richard W.M. Jones 2009-02-24 23:06:24 UTC 
FYI here's the Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
Comment 5 Richard W.M. Jones 2009-02-24 23:26:13 UTC 
I looked at mldonkey somewhat baffled trying to work out how to
make it do anything *at all* .. and couldn't work it out.  So I'm afraid
I couldn't reproduce the supposed security bug.

However I have looked at the patch in comment 1, and I looked at
how it fitted in with the existing code, and the patch appears
reasonable to me.

I also applied it to mldonkey 2.9.7 from Rawhide and built a new
RPM, and it builds without error.  (I have not committed anything to
Rawhide or any other branch).
Comment 6 Richard W.M. Jones 2009-02-26 09:31:49 UTC 
Built for Rawhide, F-10 and F-9.

Build fails on EL-4 and EL-5, but this package was never
built in those branches (although it was imported) and
can't be built because of the too old version of OCaml.
Comment 7 Fedora Update System 2009-02-26 09:34:27 UTC 
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc10
Comment 8 Fedora Update System 2009-02-26 09:53:43 UTC 
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mldonkey-2.9.7-3.fc9
Comment 9 Fedora Update System 2009-02-26 15:32:53 UTC 
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-02-26 15:34:19 UTC 
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Peter Lemenkov 2009-03-03 18:01:20 UTC 
*** Bug 488304 has been marked as a duplicate of this bug. ***
Comment 12 Peter Lemenkov 2009-03-03 18:01:48 UTC 
*** Bug 488305 has been marked as a duplicate of this bug. ***
Comment 13 Peter Lemenkov 2009-03-03 18:01:57 UTC 
*** Bug 488306 has been marked as a duplicate of this bug. ***
Comment 14 Peter Lemenkov 2009-03-07 15:25:23 UTC 
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.