GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Sep 09, 2009 5:26 pm Post subject: [ GLSA 200909-06 ] aMule: Parameter injection |
 |
|
Gentoo Linux Security Advisory
Title: aMule: Parameter injection (GLSA 200909-06)
Severity: normal
Exploitable: remote
Date: September 09, 2009
Bug(s): #268163
ID: 200909-06
Synopsis
An input validation error in aMule enables remote attackers to pass
arbitrary parameters to a victim's media player.
Background
aMule is an eMule-like client for the eD2k and Kademlia networks,
supporting multiple platforms.
Affected Packages
Package: net-p2p/amule
Vulnerable: < 2.2.5
Unaffected: >= 2.2.5
Architectures: All supported architectures
Description
Sam Hocevar discovered that the aMule preview function does not
properly sanitize file names.
Impact
A remote attacker could entice a user to download a file with a
specially crafted file name to inject arbitrary arguments to the
victim's video player.
Workaround
There is no known workaround at this time.
Resolution
All aMule users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/amule-2.2.5" |
References
CVE-2009-1440
Last edited by GLSA on Sat Aug 03, 2013 4:28 am; edited 3 times in total |
|
News & Announcements
