Bug#516829: marked as done (Http double slash request arbitrary file access vulnerability)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 16 Mar 2009 19:32:31 +0000
with message-id <E1LjIY3-0000Jl-0W@ries.debian.org>
and subject line Bug#516829: fixed in mldonkey 3.0.0-1
has caused the Debian Bug report #516829,
regarding Http double slash request arbitrary file access vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
516829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516829
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: Http double slash request arbitrary file access vulnerability
• From: Giuseppe Iuculano <giuseppe@iuculano.it>
• Date: Mon, 23 Feb 2009 22:12:18 +0100
• Message-id: <20090223211218.3524.62152.reportbug@localhost>

Package: mldonkey-server
Version: 2.9.5-2
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to
access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmjETEACgkQNxpp46476arOowCfdUi6Nmhi0vagcdOb06ya/RRA
RWsAn1THtf88DUbVAL6dunEq4MeLJjWn
=elDe
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

• To: 516829-close@bugs.debian.org
• Subject: Bug#516829: fixed in mldonkey 3.0.0-1
• From: Samuel Mimram <smimram@debian.org>
• Date: Mon, 16 Mar 2009 19:32:31 +0000
• Message-id: <E1LjIY3-0000Jl-0W@ries.debian.org>

Source: mldonkey
Source-Version: 3.0.0-1

We believe that the bug you reported is fixed in the latest version of
mldonkey, which is due to be installed in the Debian FTP archive:

mldonkey-gui_3.0.0-1_i386.deb
  to pool/main/m/mldonkey/mldonkey-gui_3.0.0-1_i386.deb
mldonkey-server_3.0.0-1_i386.deb
  to pool/main/m/mldonkey/mldonkey-server_3.0.0-1_i386.deb
mldonkey_3.0.0-1.diff.gz
  to pool/main/m/mldonkey/mldonkey_3.0.0-1.diff.gz
mldonkey_3.0.0-1.dsc
  to pool/main/m/mldonkey/mldonkey_3.0.0-1.dsc
mldonkey_3.0.0.orig.tar.gz
  to pool/main/m/mldonkey/mldonkey_3.0.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Mimram <smimram@debian.org> (supplier of updated mldonkey package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 16 Mar 2009 20:11:12 +0100
Source: mldonkey
Binary: mldonkey-server mldonkey-gui
Architecture: source i386
Version: 3.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Samuel Mimram <smimram@debian.org>
Description: 
 mldonkey-gui - Graphical frontend for mldonkey based on GTK+
 mldonkey-server - Door to the 'donkey' network
Closes: 204266 332324 432205 484674 487803 508280 508436 508533 508538 509001 513369 514449 516829 517996
Changes: 
 mldonkey (3.0.0-1) unstable; urgency=low
 .
   [ Sylvain Le Gall ]
   * Remove useless explanation in chroot section of README.Debian.
   * Add debian/gbp.conf to force using pristine-tar
 .
   [ Stephane Glondu ]
   * Switch packaging to git.
 .
   [ Samuel Mimram ]
   * New upstream release, closes: #508280.
   * Fixes alignement problem on ARM, closes: #487803.
   * Remove useless line in init script, closes: #509001.
   * Better handling of errors in init script, closes: #508538.
   * Pass --debconf-ok option to ucf, closes: #514449.
   * Mention default telnet port in README.Debian, closes: #508436.
   * Updated vietnamese debconf translation, closes: #513369.
   * Update standards version to 3.8.1.
   * Don't uselessly build-depend on dpkg-dev.
   * Version reference to GPL in copyright.
 .
   [ Mehdi Dogguy ]
   * New upstream release, closes: #516829.
   * Bump standards version to 3.8.0, no changes needed.
   * Fix Lintian warning concerning debian/mldonkey-server.postinst: not
     specify full path of used commands.
   * Add ${misc:Depends} as a dependency for mldonkey-gui.
   * Add myself to uploaders.
   * Add DMUA flag (with Sam's blessing)
   * Add Homepage field
   * Use ocamlbuild to build utils
   * Add msse2 flag for i386 architecture
   * Simplify debian/rules
   * Create a manpage for mldonkey (link to mlnet's manpage for the moment)
   * Drop chrooted-mlnet support and do not suggest makejail anymore,
     closes: #204266.
   * Update/install NEWS.Debian and mention (again) removal of mldonkey_server
     (already mentioned in this changelog, entries 2.8.1-3, 2.8.3-2 and
     2.8.5-2), closes: #517996.
   * Add missing build-dependency libbz2-dev to enable Directconnect protocol.
   * Move mldonkey_{files,options,command,submit} to /usr/lib/mldonkey.
     Closes: #484674
   * Move the daemon's log in /var/log/mldonkey, closes: #508533.
   * Add debian/xml-man/generate-man to automatically generate manpages from
     help output, closes: #432205.
   * Remove some debconf questions, closes: #332324.
Checksums-Sha1: 
 39ae847009c836a1fd78c9b041a465f2b6019836 1613 mldonkey_3.0.0-1.dsc
 3a3309ae7cc0f5844016ac03451e72a99458a662 3350386 mldonkey_3.0.0.orig.tar.gz
 9f342b7f376f536b65ec3530c0e16f96c711bb88 128406 mldonkey_3.0.0-1.diff.gz
 ea61149b26a243d159da49656190995160ddb882 2583810 mldonkey-server_3.0.0-1_i386.deb
 ef55372b141d23d303850af39245bc842480ffc1 3729030 mldonkey-gui_3.0.0-1_i386.deb
Checksums-Sha256: 
 b763c06b814072270c72ab12d0dd3099d135f23f52a12192091ddf4279c45eee 1613 mldonkey_3.0.0-1.dsc
 a6bfc60922e4b6b0aea030a258833a95d74bb2111afdaa5a055ca2de2607708f 3350386 mldonkey_3.0.0.orig.tar.gz
 68eac7fc60014224a10baf9b901b02d3733e583618bc61c6527b9a3bf2c2e344 128406 mldonkey_3.0.0-1.diff.gz
 428a0476a2c335b4fbbb8fbe4ef5d61f1c95b00fe9f88048ad315fcf71afb36e 2583810 mldonkey-server_3.0.0-1_i386.deb
 35bcbbd091d81749232edda37f7458991f43a3ed4197f98afe99c07e523190e4 3729030 mldonkey-gui_3.0.0-1_i386.deb
Files: 
 6e2b1d296472599769729d695f77397d 1613 net optional mldonkey_3.0.0-1.dsc
 7d3341c4fdb7a18ada73c3dfe3649c9e 3350386 net optional mldonkey_3.0.0.orig.tar.gz
 b91f4fc652b043506bf6f68f9f524177 128406 net optional mldonkey_3.0.0-1.diff.gz
 892587648dc780c90da1bb9f6af26fa9 2583810 net optional mldonkey-server_3.0.0-1_i386.deb
 82409c4885096f33e33bf3185400df4e 3729030 net optional mldonkey-gui_3.0.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm+pgMACgkQIae1O4AJae+JDgCeNMEkycAIQi5363tArmmBU9Fn
ho8An0F6mVISWL7OjGal5hhzrF3UrZzl
=cstL
-----END PGP SIGNATURE-----

--- End Message ---