Bugzilla – Bug 605937
VUL-0: CVE-2010-1512: aria2: metalink name Directory Traversal Vulnerability
Last modified: 2016-04-15 11:56:50 UTC
Hi. There is a security bug in package 'aria2'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: http://aria2.sourceforge.net/ CVE number: CVE-2010-1512 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1512 Original posting: ---------- Forwarded Message ---------- Subject: [Full-disclosure] Secunia Research: aria2 metalink "name" Directory Traversal Vulnerability Date: Donnerstag 13 Mai 2010, 15:25:31 From: Secunia Research <remove-vuln@secunia.com> An: full-disclosure@lists.grok.org.uk ====================================================================== Secunia Research 13/05/2010 - aria2 metalink "name" Directory Traversal Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * aria2 1.9.1 build2 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software "aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line.". Product Link: http://aria2.sourceforge.net/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in aria2, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application not properly sanitising the "name" attribute of the "file" element of metalink files before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks. ====================================================================== 5) Solution Update to version 1.9.3. ====================================================================== 6) Time Table 30/04/2010 - Vendor notified. 01/05/2010 - Vendor response. 13/05/2010 - Public disclosure. ====================================================================== 7) Credits Discovered by Stefan Cornelius, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-1512 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-71/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== _______________________________________________
Hello Pascal, would you like to take over from Michael to fix this security bug?
I'm a bit puzzled on this one. Upgrading from 1.8.2 to 1.9.3 is quite a steep jump and would possibly introduce new bugs or minor changes in behavior, even though aria2 has shown a pretty strong record in terms of stability and compatibility so far. I had a shot at backporting the vulnerability fix from upstream by trying to manually apply parts of the diff from 1.9.2 to 1.9.3, but it would require more work to isolate the fix into something self-contained, as the internal APIs have changed a bit. A more full-blown port of the diff from 1.9.2 to 1.9.3 requires more changes at a few critical places, something I don't feel comfortable with either and, in that case, we might as well directly go with 1.9.3. So.. erm.. I'm still a bit undecided, will try harder to isolate a fix, but not with an unreasonable amount of effort nor time.
Normally we back-port fixes. Especially when the (external) behavior and/or API changes. Other distros are can be a good source for extracting back-ported patches.
see also http://wiki.opensuse.org/openSUSE:Package_maintenance This will be enhanced with information for security updates shortly.
After considering the options, I decided to go with an upgrade to 1.9.3: I believe it is a higher risk to make a non-trivial patch against 1.8.x (which we would be the only ones to use, Debian is on a much older release and Fedora has upgraded to 1.9.3 too, including on older Fedora releases) than upgrading to the latest upstream version, where the issue has been fixed by the authors. I just pushed 1.9.3 to openSUSE:11.2:Update:Test/aria2 with SR 40497 Would someone in the security team take care of the patchinfo ? (I don't have a SWAMP ID, nor can I create one myself, at least as far as I know)
yast2 depends heavily on aria2 therefore we need to make 100%-ly sure that the aria2 version upgrade does not break yast2 code. Did the API change? Is openSUSE 11.1 and 11.3/Factory affected too?
I'm very aware of that :) I'd have to check which flags the zypp stack passes to aria2, but the "API" (the CLI interface) didn't actually change from 1.8.2 to 1.9.3. I did an "aria2c --help" with both versions (1.8.2 and 1.9.3) and diffed the output: no change at all. Of course, other, more subtle things might affect zypp, hence the only way to make sure is to do a call for testing. Seems something is fishy at the moment as there are no aria2 packages in http://download.opensuse.org/repositories/openSUSE:/11.2:/Update:/Test/standard/ but I can't check right now, OBS is giving us 500 And, yes, all openSUSE versions are affected as the CVE is only fixed in 1.9.3. That would actually be even trickier. Factory currently uses 1.9.1 and there is no CLI API change either. openSUSE 11.1 has aria2-0.16.0, which is quite old, where I could probably roll a patch instead (Debian has a patch against 0.14). There are quite a few changes from 0.16.0 to 1.9.3, but the CLI API seems to be backwards compatible (at least from looking at a diff). Nevertheless, I'll rather do a patch to stay with 0.16.0 there.
In the mean time, I've built packages in my own staging projects for testing. * aria2-1.9.3 for openSUSE 11.2 (version upgrade): http://download.opensuse.org/repositories/home:/pbleser:/staging:/security:/11.2/openSUSE_11.2/ (same as in network:utilities, but built in isolation) * aria2-0.16.0 for openSUSE 11.1 (patched, based on [1]): http://download.opensuse.org/repositories/home:/pbleser:/staging:/security:/11.1/openSUSE_11.1/ [1]http://freshmeat.net/articles/debian-new-aria2-packages-fix-directory-traversal Factory should simply upgrade to 1.9.3. The patch against 0.16.0 is available there: https://api.opensuse.org/public/source/home:pbleser:staging:security:11.1/aria2/aria2-0.16.0-CVE-2010-1512.patch
Pascal, thanks a lot. Coolo, is the version upgrade of aria2 ok for you?
for factory? Sounds okay. For the rest, the maintenance team has to decide.
Anja, what do you think? Sholdl we do it but with additional tests for openSUSE?
Just to clarify again: the drawback of backporting/patching compared to upgrading is that we need to do the patch on our own, and it's not trivial because while the API and CLI remained the same (from 1.8.x to 1.9.3), the code inside changed a lot. Comparing that risk with upgrading to 1.9.3 which is maintained upstream, I personally believe it's less risky to go with 1.9.3. But that's just my personal engineering 0.02€ ;)
Hi Jiri, what is your opinion from the yast side here? Any doubts that it is too dangerous?
I'm not aware of YaST relying on aria except libzypp, which should not be an issue. Therefore, as long as it is QAed, I'm fine with version upgrade.
As we use the CLI I see it as not that dangerous. Should get 1 or 2 weeks of testing in public-test however.
Ok, lets do this upgrade with QA-testing + 2 weeks in update-test. There is already an open running SwampID for aria2: 33321
Could someone then please accept SR 40497 ? 40497 State:new By:pbleser When:2010-05-22T12:05:28 submit: home:pbleser:branches:openSUSE:11.2:Update:Test/aria2 -> openSUSE:11.2:Update:Test Descr: upgrade to 1.9.3 to fix bnc#605937 CVCVE-2010-1512 (OK, there's a typo in the Descr ;))
The SWAMPID for this issue is 33321. This issue was rated as important. Please submit fixed packages as soon as possible. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
you need to tell us (security team) in the bugreport after you submit such updates, we are not watching the submit requests I submitted a patchinfo for 11.2
is the 11.1 also good? the patch at least looks process wise acceptable
Update released for: aria2, aria2-debuginfo, aria2-debugsource Products: openSUSE 11.2 (debug, i586, x86_64)
11.1 update?
Pascal?
Pascal, whats the status with the fix for 11.1?
Oh my, I thought it was applied already. I just submitted SR 46852 against openSUSE:11.1:Update:Test (from my branch). I guess that you guys take it from here. If not, please let me know what else I need to do. Mea culpa, mea maxima culpa.
thanks
the submission was declined
ro@suse.de made changes to openSUSE:11.1:Update/aria2 without going through openSUSE:11.1:Update:Test/aria2 first, apparently, which is why it was rejected. I manually copied his changes from Update to Update:Test and redid my patch and request, it's now SR 46922
dirty autobuild hacks ... *grmbl* thanks for resolving the issue nevertheless
And, of course, with all that shmoo, I forgot to actually apply the patch. After slapping myself, I revoked SR 46922, fixed the .spec, and re-submitted. Now it's SR 46989
Update released for: aria2, aria2-debuginfo, aria2-debugsource Products: openSUSE 11.1 (debug, i586, ppc, x86_64)
released
This is an autogenerated message for OBS integration: This bug (605937) was mentioned in https://build.opensuse.org/request/show/40497 11.2:Test / aria2 https://build.opensuse.org/request/show/46989 11.1:Test / aria2