The WEB interface in the MLDonkey P2P networks client in mldonkey-2.9.7
and earlier allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. Note: A similar
vulnerability than CVE-1999-1456.
Created attachment 333045 [details]
Testing patch (please verify its function and correctness).
This issue affects all versions of the mldonkey package, as shipped with
Fedora releases of 9, 10, and devel.
FYI here's the Debian bug:
I looked at mldonkey somewhat baffled trying to work out how to
make it do anything *at all* .. and couldn't work it out. So I'm afraid
I couldn't reproduce the supposed security bug.
However I have looked at the patch in comment 1, and I looked at
how it fitted in with the existing code, and the patch appears
reasonable to me.
I also applied it to mldonkey 2.9.7 from Rawhide and built a new
RPM, and it builds without error. (I have not committed anything to
Rawhide or any other branch).
Built for Rawhide, F-10 and F-9.
Build fails on EL-4 and EL-5, but this package was never
built in those branches (although it was imported) and
can't be built because of the too old version of OCaml.
mldonkey-2.9.7-3.fc10 has been submitted as an update for Fedora 10.
mldonkey-2.9.7-3.fc9 has been submitted as an update for Fedora 9.
mldonkey-2.9.7-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
mldonkey-2.9.7-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 488304 has been marked as a duplicate of this bug. ***
*** Bug 488305 has been marked as a duplicate of this bug. ***
*** Bug 488306 has been marked as a duplicate of this bug. ***
Ok, since updated packages hits "updates" repostories, I think that we ay close this ticket.