Topic: CVE-2009-1440 really fixed in 2.2.5? (Read 3888 times)

Festor · « **on:** July 26, 2009, 01:41:18 AM »

Searching in Debian bug tracker I found this:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525078#27

Stu Redman · « **Reply #1 on:** July 26, 2009, 02:30:00 PM »

Hmm - tried it and could reproduce the problem:

Quote

Quick (and harmless) way to simulate an attack and reproduce the bug:

- run amule from the command line
- set video player to "vlc" in the preferences
- start downloading a file (use the search tool to find a small
txt file)
- pause download using right click -> Pause
- rename file to '-vvvv.avi (with a leading tick) using right
click -> Show File Details
- resume download, wait for completion
- double click on the file
- you should see VLC's very verbose debug messages in amule's console,
indicating that it has been called with -vvvv.avi as an extra
argument, increasing its verbosity

Didn't try the suggested fix

Quote

The following fix works, though (tested with 2.2.5):

rawFileName.Replace(QUOTE, wxT("\\") QUOTE);

Festor · « **Reply #2 on:** July 27, 2009, 12:26:58 PM »

Then there's a problem, right?

Should I patch my aMule builds or there will be a 2.2.6? (or a "2.2.5.1" release)

GonoszTopi · « **Reply #3 on:** July 27, 2009, 07:43:34 PM »

Quote from: Stu Redman on July 26, 2009, 02:30:00 PM

Didn't try the suggested fix

Could you please?

Quote from: Festor on July 27, 2009, 12:26:58 PM

or there will be a 2.2.6?

Don't know yet. Last release was almost 3 months ago, and this is the second patch affecting 2.2.5 I consider serious.

Stu Redman · « **Reply #4 on:** July 28, 2009, 12:22:50 AM »

Quote from: Festor on July 27, 2009, 12:26:58 PM

Then there's a problem, right?

Yeah, just as serious as this one.

Quote from: GonoszTopi on July 27, 2009, 07:43:34 PM

Quote from: Stu Redman on July 26, 2009, 02:30:00 PM
Didn't try the suggested fix
Could you please?

Fix works. No super-verbose messages, and file is actually played back (I downloaded an mp3). I've tried '-vvvv.avi and Bla'-vvvv Bla.avi Don't know if there are other constellations thinkable.

wires · « **Reply #5 on:** July 28, 2009, 07:19:17 AM »

Quote from: Stu Redman on July 28, 2009, 12:22:50 AM

Fix works. No super-verbose messages, and file is actually played back (I downloaded an mp3). I've tried '-vvvv.avi and Bla'-vvvv Bla.avi Don't know if there are other constellations thinkable.

What about using "file:///<TEMPDIR>/<PARTFILE>" as the file argument and/or using "vlc -- <PARTFILE>". At least for linux '--' denotes end of options.

Kry · « **Reply #6 on:** July 28, 2009, 08:53:23 AM »

Quote from: GonoszTopi on July 27, 2009, 07:43:34 PM

Don't know yet. Last release was almost 3 months ago, and this is the second patch affecting 2.2.5 I consider serious.

Do.

aMule Forum

News:

Author Topic: CVE-2009-1440 really fixed in 2.2.5? (Read 3888 times)

Festor

CVE-2009-1440 really fixed in 2.2.5?

Stu Redman

Re: CVE-2009-1440 really fixed in 2.2.5?

Festor

Re: CVE-2009-1440 really fixed in 2.2.5?

GonoszTopi

Re: CVE-2009-1440 really fixed in 2.2.5?

Stu Redman

Re: CVE-2009-1440 really fixed in 2.2.5?

wires

Re: CVE-2009-1440 really fixed in 2.2.5?

Kry

Re: CVE-2009-1440 really fixed in 2.2.5?