Ubuntu
amule package

Security issue allows code execution, CVE-2009-1440

Bug #396807 reported by Andreas Moog
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
amule (Debian)
Fix Released
Unknown
amule (Ubuntu)
Fix Released
High
Unassigned
Hardy
Fix Released
High
Unassigned
Intrepid
Fix Released
High
Unassigned
Jaunty
Fix Released
High
Unassigned
Karmic
Fix Released
High
Unassigned

Bug Description

Binary package hint: amule

The presumably fixed CVE-2009-1440 is not fixed after all. Quoting the debian report:

"Unfortunately it doesn't work properly. It looks like upstream didn't
even bother to test the fix.

   Quick (and harmless) way to simulate an attack and reproduce the bug:

    - run amule from the command line
    - set video player to "vlc" in the preferences
    - start downloading a file (use the search tool to find a small
      txt file)
    - pause download using right click -> Pause
    - rename file to '-vvvv.avi (with a leading tick) using right
      click -> Show File Details
    - resume download, wait for completion
    - double click on the file
    - you should see VLC's very verbose debug messages in amule's console,
      indicating that it has been called with -vvvv.avi as an extra
      argument, increasing its verbosity

   The following fix works, though (tested with 2.2.5):

     rawFileName.Replace(QUOTE, wxT("\\") QUOTE);
"
(End of quote)

I uploaded a package with the fix to karmic and will try to provide fixes for jaunty, intrepid and hardy.

Andreas Moog (ampelbein)
visibility: private → public
Changed in amule (Ubuntu):
importance: Undecided → High
status: New → Triaged
Andreas Moog (ampelbein)
Changed in amule (Ubuntu Karmic):
status: Triaged → Fix Released
Changed in amule (Ubuntu Jaunty):
importance: Undecided → High
status: New → Confirmed
Changed in amule (Ubuntu Intrepid):
importance: Undecided → High
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in amule (Debian):
status: Unknown → Fix Released
Revision history for this message
Andreas Moog (ampelbein) wrote :

debdiff for jaunty

amule (2.2.4-1ubuntu1.1) jaunty-security; urgency=low

  * Security Update (LP: #396807)
  * add debian/patches/CVE-2009-1440.patch to fix possible code execution

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 01:59:01 +0200

Revision history for this message
Andreas Moog (ampelbein) wrote :

debdiff for Intrepid:

amule (2.2.2-1ubuntu1.1) intrepid-security; urgency=low

  * Security Update (LP: #396807)
  * add debian/patches/CVE-2009-1440.patch to fix possible code execution

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 02:36:12 +0200

Revision history for this message
Andreas Moog (ampelbein) wrote :

debdiff for hardy:

amule (2.2.0~svn20080218-0ubuntu4.1) hardy-security; urgency=low

  * Security Update (LP: #396807)
  * add debian/patches/CVE-2009-1440.patch to fix possible code execution

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 02:45:47 +0200

Changed in amule (Ubuntu Hardy):
importance: Undecided → High
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in amule (Ubuntu Hardy):
status: Confirmed → In Progress
Changed in amule (Ubuntu Intrepid):
status: Confirmed → In Progress
Changed in amule (Ubuntu Jaunty):
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs!

Please format the changelogs as per:

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Submission

And please tag the patches as per:

https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

I'm marking this bug as incomplete. Once you've uploaded revised debdiffs, please mark as "In Progress".

Thanks!

Changed in amule (Ubuntu Hardy):
status: In Progress → Incomplete
Changed in amule (Ubuntu Intrepid):
status: In Progress → Incomplete
Changed in amule (Ubuntu Jaunty):
status: In Progress → Incomplete
Revision history for this message
Andreas Moog (ampelbein) wrote :
Revision history for this message
Andreas Moog (ampelbein) wrote :
Revision history for this message
Andreas Moog (ampelbein) wrote :
Changed in amule (Ubuntu Jaunty):
status: Incomplete → In Progress
Changed in amule (Ubuntu Intrepid):
status: Incomplete → In Progress
Changed in amule (Ubuntu Hardy):
status: Incomplete → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The debdiff for hardy won't compile:

../../src/DownloadListCtrl.cpp:2244: error: 'QUOTE' was not declared in this scope

Changed in amule (Ubuntu Hardy):
status: In Progress → Incomplete
Marc Deslauriers (mdeslaur)
Changed in amule (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in amule (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Andreas Moog (ampelbein) wrote :

The I-like-quilt-and-would-like-to-poke-its-authors-with-a-large-glowing-stick-to-show-my-appreciation-debdiff is attached.

Andreas Moog (ampelbein)
Changed in amule (Ubuntu Hardy):
status: Incomplete → In Progress
Marc Deslauriers (mdeslaur)
Changed in amule (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amule - 2.2.0~svn20080218-0ubuntu4.1

---------------
amule (2.2.0~svn20080218-0ubuntu4.1) hardy-security; urgency=low

  * SECURITY UPDATE: Incomplete escaping in filenames allows remote attackers
    to conduct argument injection attacks into a command via a crafted
    filename. (LP: #396807)
    - src/DownloadListCtrl.cpp sanitises the downloaded filenames but does
      not escape ticks in filenames correctly.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078
    - Patch by Sam Hocevar
    - CVE-2009-1440

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 02:45:47 +0200

Changed in amule (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amule - 2.2.2-1ubuntu1.1

---------------
amule (2.2.2-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Incomplete escaping in filenames allows remote attackers
    to conduct argument injection attacks into a command via a crafted
    filename. (LP: #396807)
    - src/DownloadListCtrl.cpp sanitises the downloaded filenames but does
      not escape ticks in filenames correctly.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078
    - Patch by Sam Hocevar
    - CVE-2009-1440

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 02:36:12 +0200

Changed in amule (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amule - 2.2.4-1ubuntu1.1

---------------
amule (2.2.4-1ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Incomplete escaping in filenames allows remote attackers
    to conduct argument injection attacks into a command via a crafted
    filename. (LP: #396807)
    - src/DownloadListCtrl.cpp sanitises the downloaded filenames but does
      not escape ticks in filenames correctly.
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078
    - Patch by Sam Hocevar
    - CVE-2009-1440

 -- Andreas Moog <email address hidden> Wed, 08 Jul 2009 01:59:01 +0200

Changed in amule (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.