Bug 592012 (CVE-2010-1512)

Summary: CVE-2010-1512 aria2: improper sanitization of metalink attribute for downloading files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: metherid, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-27 08:45:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 592014    
Bug Blocks:    

Description Vincent Danen 2010-05-13 17:11:53 UTC 
Secunia Research reported [1] a flaw in aria2.  From their advisory:

Secunia Research has discovered a vulnerability in aria2, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the application not properly
sanitising the "name" attribute of the "file" element of metalink
files before using it to download files. If a user is tricked into
downloading from a specially crafted metalink file, this can be
exploited to download files to directories outside of the intended
download directory via directory traversal attacks.

Version 1.9.3 is indicated as being fixed, via changeset 2097 [2].

This issue has been given the name CVE-2010-1512.

[1] http://secunia.com/secunia_research/2010-71/
[2] http://sourceforge.net/apps/trac/aria2/changeset/2097
Comment 1 Vincent Danen 2010-05-13 17:12:45 UTC 
Created aria2 tracking bugs for this issue

Affects: fedora-all [bug 592014]
Comment 2 Fedora Update System 2010-05-20 23:52:51 UTC 
aria2-1.9.3-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc13
Comment 3 Fedora Update System 2010-05-20 23:53:45 UTC 
aria2-1.9.3-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc12
Comment 4 Fedora Update System 2010-05-20 23:54:03 UTC 
aria2-1.9.3-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc11
Comment 5 Fedora Update System 2010-05-22 01:52:16 UTC 
aria2-1.9.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-05-22 01:52:27 UTC 
aria2-1.9.3-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-05-22 01:53:17 UTC 
aria2-1.9.3-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.