Bug 529342 (CVE-2009-3617) - CVE-2009-3617 aria2: DoS (crash) if URI to download contains printf format string (%d) and logging is enabled
Summary: CVE-2009-3617 aria2: DoS (crash) if URI to download contains printf format st...
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2009-3617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://aria2.svn.sourceforge.net/view...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-16 09:36 UTC by Jan Lieskovsky
Modified: 2022-04-20 12:56 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-10-16 15:26:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-10-16 09:36:03 UTC
Aria upstream has released 1.6.2 version fixing one security issue. From
aria2-1.6.2 Release Notes:
--------------------------

This release fixes segmentation fault error if URI to download
contains printf format string and logging is enabled.

  * Fixed the bug that causes segmentation fault if
    req->getCurrentUrl() contains printf format string such as %d. The
    statement that causes this bug is useless and removed.

References:
----------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586

Upstream patch:
---------------
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/src/AbstractCommand.cc?r1=1539&r2=1572

CVE Request:
------------
http://www.openwall.com/lists/oss-security/2009/10/16/6

Comment 1 Jan Lieskovsky 2009-10-16 09:39:06 UTC
This issue does not affect the version of aria2 package, as scheduled to
be included into Fedora 13 release (aria2-1.6.2-1.fc13 is already updated).

This issue affects the version of aria2 package, as scheduled to
be included into Fedora 12 release (current aria2-1.6.1-1.fc12 version
is still vulnerable, please fix).

This issue does NOT affect the versions of the aria2 package, as shipped
with Fedora releases of 10 and 11 (aria2-1.3.1-2.fc10 aria2-1.3.1-1.fc11).

Comment 2 Rahul Sundaram 2009-10-16 10:02:13 UTC
Ouch. Didn't realize this was a security issue.   Build completed and tag request filed.

http://koji.fedoraproject.org/koji/taskinfo?taskID=1749582
https://fedorahosted.org/rel-eng/ticket/2495

Comment 3 Rahul Sundaram 2009-10-16 15:26:29 UTC
Tagged as a post beta update for Fedora 12. Thank you very much.

Comment 4 Vincent Danen 2009-10-16 19:45:11 UTC
This is CVE-2009-3617.


Note You need to log in before you can comment on or make changes to this bug.