Bug 529342 (CVE-2009-3617)

Summary: CVE-2009-3617 aria2: DoS (crash) if URI to download contains printf format string (%d) and logging is enabled
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: sundaram, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-16 15:26:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-10-16 09:36:03 UTC
Aria upstream has released 1.6.2 version fixing one security issue. From
aria2-1.6.2 Release Notes:
--------------------------

This release fixes segmentation fault error if URI to download
contains printf format string and logging is enabled.

  * Fixed the bug that causes segmentation fault if
    req->getCurrentUrl() contains printf format string such as %d. The
    statement that causes this bug is useless and removed.

References:
----------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586

Upstream patch:
---------------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/src/AbstractCommand.cc?r1=1539&r2=1572

CVE Request:
------------
http://www.openwall.com/lists/oss-security/2009/10/16/6

Comment 1 Jan Lieskovsky 2009-10-16 09:39:06 UTC
This issue does not affect the version of aria2 package, as scheduled to
be included into Fedora 13 release (aria2-1.6.2-1.fc13 is already updated).

This issue affects the version of aria2 package, as scheduled to
be included into Fedora 12 release (current aria2-1.6.1-1.fc12 version
is still vulnerable, please fix).

This issue does NOT affect the versions of the aria2 package, as shipped
with Fedora releases of 10 and 11 (aria2-1.3.1-2.fc10 aria2-1.3.1-1.fc11).

Comment 2 Rahul Sundaram 2009-10-16 10:02:13 UTC
Ouch. Didn't realize this was a security issue.   Build completed and tag request filed.

http://koji.fedoraproject.org/koji/taskinfo?taskID=1749582
https://fedorahosted.org/rel-eng/ticket/2495

Comment 3 Rahul Sundaram 2009-10-16 15:26:29 UTC
Tagged as a post beta update for Fedora 12. Thank you very much.

Comment 4 Vincent Danen 2009-10-16 19:45:11 UTC
This is CVE-2009-3617.