aMule Forum

English => en_Bugs => Topic started by: Festor on July 26, 2009, 01:41:18 AM

Title: CVE-2009-1440 really fixed in 2.2.5?
Post by: Festor on July 26, 2009, 01:41:18 AM: Searching in Debian bug tracker I found this:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078#27
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: Stu Redman on July 26, 2009, 02:30:00 PM: Hmm - tried it and could reproduce the problem:
Quote
Quick (and harmless) way to simulate an attack and reproduce the bug:

- run amule from the command line
- set video player to "vlc" in the preferences
- start downloading a file (use the search tool to find a small
txt file)
- pause download using right click -> Pause
- rename file to '-vvvv.avi (with a leading tick) using right
click -> Show File Details
- resume download, wait for completion
- double click on the file
- you should see VLC's very verbose debug messages in amule's console,
indicating that it has been called with -vvvv.avi as an extra
argument, increasing its verbosity
:(

Didn't try the suggested fix
Quote
The following fix works, though (tested with 2.2.5):

rawFileName.Replace(QUOTE, wxT("\\") QUOTE);
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: Festor on July 27, 2009, 12:26:58 PM: Then there's a problem, right?

Should I patch my aMule builds or there will be a 2.2.6? (or a "2.2.5.1" release) ::)
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: GonoszTopi on July 27, 2009, 07:43:34 PM: Quote from: Stu Redman on July 26, 2009, 02:30:00 PM
Didn't try the suggested fix
Could you please?

Quote from: Festor on July 27, 2009, 12:26:58 PM
or there will be a 2.2.6?
Don't know yet. Last release was almost 3 months ago, and this is the second patch affecting 2.2.5 I consider serious.
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: Stu Redman on July 28, 2009, 12:22:50 AM: Quote from: Festor on July 27, 2009, 12:26:58 PM
Then there's a problem, right?
Yeah, just as serious as this one (http://xkcd.com/327/). ::)

Quote from: GonoszTopi on July 27, 2009, 07:43:34 PM
Quote from: Stu Redman on July 26, 2009, 02:30:00 PM
Didn't try the suggested fix
Could you please?
Fix works. No super-verbose messages, and file is actually played back (I downloaded an mp3). I've tried '-vvvv.avi and Bla'-vvvv Bla.avi Don't know if there are other constellations thinkable.
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: wires on July 28, 2009, 07:19:17 AM: Quote from: Stu Redman on July 28, 2009, 12:22:50 AM

Fix works. No super-verbose messages, and file is actually played back (I downloaded an mp3). I've tried '-vvvv.avi and Bla'-vvvv Bla.avi Don't know if there are other constellations thinkable.

What about using "file:///<TEMPDIR>/<PARTFILE>" as the file argument and/or using "vlc -- <PARTFILE>". At least for linux '--' denotes end of options.
Title: Re: CVE-2009-1440 really fixed in 2.2.5?
Post by: Kry on July 28, 2009, 08:53:23 AM: Quote from: GonoszTopi on July 27, 2009, 07:43:34 PM
Don't know yet. Last release was almost 3 months ago, and this is the second patch affecting 2.2.5 I consider serious.

Do.