Debian Bug report logs -
#525078
insufficient path escaping when opening fies
Reported by: Sam Hocevar <sam@zoy.org>
Date: Tue, 21 Apr 2009 22:45:01 UTC
Severity: important
Tags: security, upstream
Found in version amule/2.2.4-1
Fixed in versions amule/2.2.5-1.1, amule/2.2.1-1+lenny2
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Adeodato Simó <dato@net.com.org.es>
:
Bug#525078
; Package amule
.
(Tue, 21 Apr 2009 22:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hocevar <sam@zoy.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Adeodato Simó <dato@net.com.org.es>
.
(Tue, 21 Apr 2009 22:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: amule
Version: 2.2.4-1+b1
Severity: normal
Tags: security upstream
src/DownloadListCtrl.cpp does the following (code edited for
clarification):
command = wxT("xterm -T \"aMule Preview\" -iconic -e mplayer '$file'");
[...]
wxString rawFileName = file->GetFullName().GetRaw();
command.Replace(wxT("$file"), rawFileName);
[...]
wxExecute(command, wxEXEC_ASYNC, p);
Although file->GetFullName() is sanitised by removing :/<> and
probably other characters, the single tick (') is neither filtered
away nor escaped. Thus it is possible to craft a file name that
passes remotely defined arguments to the video player.
A side effect is that it is impossible to open a downloaded file that
has a "'" character in its name.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28.7 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages amule depends on:
ii amule-common 2.2.4-1 common files for the rest of aMule
ii libc6 2.9-7 GNU C Library: Shared libraries
ii libcrypto++8 5.6.0-1 General purpose cryptographic libr
ii libgcc1 1:4.3.3-8 GCC support library
ii libgeoip1 1.4.6.dfsg-2 A non-DNS IP-to-country resolver l
ii libstdc++6 4.3.3-8 The GNU Standard C++ Library v3
ii libupnp3 1:1.6.6-3 Portable SDK for UPnP Devices (sha
ii libwxbase2.8-0 2.8.7.1-1.1 wxBase library (runtime) - non-GUI
ii libwxgtk2.8-0 2.8.7.1-1.1 wxWidgets Cross-platform C++ GUI t
ii zlib1g 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages amule recommends:
ii amule-utils 2.2.4-1+b1 utilities for aMule (command-line
Versions of packages amule suggests:
ii amule-utils-gui 2.2.4-1+b1 graphic utilities for aMule
-- no debconf information
Severity set to `important' from `normal'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Wed, 22 Apr 2009 00:12:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#525078
; Package amule
.
(Wed, 29 Apr 2009 18:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(Wed, 29 Apr 2009 18:36:05 GMT) (full text, mbox, link).
Message #12 received at 525078@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
CVE-2009-1440 has been assigned to this.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#525078
; Package amule
.
(Mon, 08 Jun 2009 04:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(Mon, 08 Jun 2009 04:36:02 GMT) (full text, mbox, link).
Message #17 received at 525078@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Sam
How about the lines below (2300-2302)?
#ifndef __WXMSW__
rawFileName.Replace(QUOTE, wxT("'\"'\"'"));
#endif
Wouldn't it be sufficient to just run this over rawFileName at any time and
escape the single tick or am I missing something?
Cheers
Steffen
[Message part 2 (text/html, inline)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
You have taken responsibility.
(Mon, 15 Jun 2009 10:18:11 GMT) (full text, mbox, link).
Notification sent
to Sam Hocevar <sam@zoy.org>
:
Bug acknowledged by developer.
(Mon, 15 Jun 2009 10:18:12 GMT) (full text, mbox, link).
Message #22 received at 525078-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.2.5-1
Hi
The code snippet is upstream's security fix. Testing it now and preparing DSA.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#525078
; Package amule
.
(Wed, 17 Jun 2009 22:30:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hocevar <sam@zoy.org>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(Wed, 17 Jun 2009 22:30:12 GMT) (full text, mbox, link).
Message #27 received at 525078@bugs.debian.org (full text, mbox, reply):
reopen 525078
thanks
On Mon, Jun 15, 2009, Steffen Joeris wrote:
> The code snippet is upstream's security fix. Testing it now and preparing DSA.
Unfortunately it doesn't work properly. It looks like upstream didn't
even bother to test the fix.
Quick (and harmless) way to simulate an attack and reproduce the bug:
- run amule from the command line
- set video player to "vlc" in the preferences
- start downloading a file (use the search tool to find a small
txt file)
- pause download using right click -> Pause
- rename file to '-vvvv.avi (with a leading tick) using right
click -> Show File Details
- resume download, wait for completion
- double click on the file
- you should see VLC's very verbose debug messages in amule's console,
indicating that it has been called with -vvvv.avi as an extra
argument, increasing its verbosity
The following fix works, though (tested with 2.2.5):
rawFileName.Replace(QUOTE, wxT("\\") QUOTE);
--
Sam.
Bug reopened, originator not changed.
Request was from Sam Hocevar <sam@zoy.org>
to control@bugs.debian.org
.
(Wed, 17 Jun 2009 22:30:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Adeodato Simó <dato@net.com.org.es>
:
Bug#525078
; Package amule
.
(Mon, 22 Jun 2009 02:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Adeodato Simó <dato@net.com.org.es>
.
(Mon, 22 Jun 2009 02:12:02 GMT) (full text, mbox, link).
Message #34 received at 525078@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Attached is the NMU patch.
Cheers
Steffen
[nmu.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Mon, 22 Jun 2009 03:27:09 GMT) (full text, mbox, link).
Notification sent
to Sam Hocevar <sam@zoy.org>
:
Bug acknowledged by developer.
(Mon, 22 Jun 2009 03:27:10 GMT) (full text, mbox, link).
Message #39 received at 525078-close@bugs.debian.org (full text, mbox, reply):
Source: amule
Source-Version: 2.2.5-1.1
We believe that the bug you reported is fixed in the latest version of
amule, which is due to be installed in the Debian FTP archive:
amule-common_2.2.5-1.1_all.deb
to pool/main/a/amule/amule-common_2.2.5-1.1_all.deb
amule-daemon_2.2.5-1.1_i386.deb
to pool/main/a/amule/amule-daemon_2.2.5-1.1_i386.deb
amule-utils-gui_2.2.5-1.1_i386.deb
to pool/main/a/amule/amule-utils-gui_2.2.5-1.1_i386.deb
amule-utils_2.2.5-1.1_i386.deb
to pool/main/a/amule/amule-utils_2.2.5-1.1_i386.deb
amule_2.2.5-1.1.diff.gz
to pool/main/a/amule/amule_2.2.5-1.1.diff.gz
amule_2.2.5-1.1.dsc
to pool/main/a/amule/amule_2.2.5-1.1.dsc
amule_2.2.5-1.1_i386.deb
to pool/main/a/amule/amule_2.2.5-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 525078@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated amule package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 18 Jun 2009 14:10:54 +0000
Source: amule
Binary: amule amule-common amule-utils amule-utils-gui amule-daemon
Architecture: source i386 all
Version: 2.2.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Steffen Joeris <white@debian.org>
Description:
amule - client for the eD2k and Kad networks, like eMule
amule-common - common files for the rest of aMule packages
amule-daemon - non-graphic version of aMule, a client for the eD2k and Kad netwo
amule-utils - utilities for aMule (command-line version)
amule-utils-gui - graphic utilities for aMule
Closes: 525078
Changes:
amule (2.2.5-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Make sure that the single tick is handled properly in order to avoid
code execution (Closes: #525078)
Fixes: CVE-2009-1440
Checksums-Sha1:
eca69d1f728bd9eb5fd5d0166a2d22f07be2fbcb 1354 amule_2.2.5-1.1.dsc
56fac5bec7be4578bc7ffe07abae977f358278b7 22380 amule_2.2.5-1.1.diff.gz
7a79d557b4878073b8fa533cb41b1f407ec0de8a 1837034 amule_2.2.5-1.1_i386.deb
ba992080be3299c7fc1fd72dc4160a1b34bf3fbb 453092 amule-utils_2.2.5-1.1_i386.deb
9197ec36d05b0511701d2019614aa05ec47f740d 1279660 amule-utils-gui_2.2.5-1.1_i386.deb
96facb3319ff3f7ecf7827a451b60648502a90ad 1172070 amule-daemon_2.2.5-1.1_i386.deb
98b70cf45cb4d0884e474178312ff69e2c1ad9e5 2425196 amule-common_2.2.5-1.1_all.deb
Checksums-Sha256:
460e516e5695ff6e33470a072e0c907559269ed24483fedb6f01a24ff982d83a 1354 amule_2.2.5-1.1.dsc
636474bed2a275f5509f6b4ad522beee09289ce9b21dc5334a4663d9b21a6248 22380 amule_2.2.5-1.1.diff.gz
64fb96eb54652c10381bdb9da1e476ad208e82f36dd1ea4d87bb92c33a33ae90 1837034 amule_2.2.5-1.1_i386.deb
c2d12441970e2e33c546c242aa3b84ba9707d10186a08efae8ee972ad9886d13 453092 amule-utils_2.2.5-1.1_i386.deb
5ac7010b32f9d8627233f8dfae2d18013d1013511f4966332bdccae1c2c749cd 1279660 amule-utils-gui_2.2.5-1.1_i386.deb
835813b9f0c5ac02de02dfe60ecdc9679986f1d05e0a8174ef86e2140080da6e 1172070 amule-daemon_2.2.5-1.1_i386.deb
549b33e10eab33018df7cadde99e72afaa6d825a38f40b2bc0ef52b65e95b50a 2425196 amule-common_2.2.5-1.1_all.deb
Files:
449189bbe29936f917cbbee573ba4331 1354 net optional amule_2.2.5-1.1.dsc
62d5abc386d341a0b8be0daf541ae2fe 22380 net optional amule_2.2.5-1.1.diff.gz
d49bb32b073d7a26be12c8ceed44a9ba 1837034 net optional amule_2.2.5-1.1_i386.deb
4fa5346969144acd9fe6bb8f4a9c226d 453092 net optional amule-utils_2.2.5-1.1_i386.deb
89e2faffbfb72a3136fc6bbe76fc5d01 1279660 net optional amule-utils-gui_2.2.5-1.1_i386.deb
3d37ccc83a5598918cd2bc10bf470e89 1172070 net optional amule-daemon_2.2.5-1.1_i386.deb
1c2d31b3a69fe707e88a086d3c796305 2425196 net optional amule-common_2.2.5-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko+54wACgkQ62zWxYk/rQd0qACbBEP50smzGrX8F4sYPRyuthZ8
XhgAoMxh4U81v7fLaZ/r9lX2ImgZTjWp
=DGeX
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Tue, 23 Jun 2009 13:57:05 GMT) (full text, mbox, link).
Notification sent
to Sam Hocevar <sam@zoy.org>
:
Bug acknowledged by developer.
(Tue, 23 Jun 2009 13:57:05 GMT) (full text, mbox, link).
Message #44 received at 525078-close@bugs.debian.org (full text, mbox, reply):
Source: amule
Source-Version: 2.2.1-1+lenny2
We believe that the bug you reported is fixed in the latest version of
amule, which is due to be installed in the Debian FTP archive:
amule-common_2.2.1-1+lenny2_all.deb
to pool/main/a/amule/amule-common_2.2.1-1+lenny2_all.deb
amule-daemon_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-daemon_2.2.1-1+lenny2_i386.deb
amule-utils-gui_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_i386.deb
amule-utils_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-utils_2.2.1-1+lenny2_i386.deb
amule_2.2.1-1+lenny2.diff.gz
to pool/main/a/amule/amule_2.2.1-1+lenny2.diff.gz
amule_2.2.1-1+lenny2.dsc
to pool/main/a/amule/amule_2.2.1-1+lenny2.dsc
amule_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule_2.2.1-1+lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 525078@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated amule package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 21 Jun 2009 06:34:26 +0200
Source: amule
Binary: amule amule-common amule-utils amule-utils-gui amule-daemon
Architecture: source i386 all
Version: 2.2.1-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Steffen Joeris <white@debian.org>
Description:
amule - client for the eD2k and Kad networks, like eMule
amule-common - common files for the rest of aMule packages
amule-daemon - non-graphic version of aMule, a client for the eD2k and Kad netwo
amule-utils - utilities for aMule (command-line version)
amule-utils-gui - graphic utilities for aMule
Closes: 525078
Changes:
amule (2.2.1-1+lenny2) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix incomplete escaping of offending characters by including the
single tick (') as well (Closes: #525078)
Fixes: CVE-2009-1440
Checksums-Sha1:
05e57ecee06a46bc64af00728b0ce633a1c8ea99 1360 amule_2.2.1-1+lenny2.dsc
f2aa9e81e5dc06a3a04d8e9b6c3b58432b07d7f6 5945095 amule_2.2.1.orig.tar.gz
56a9683d7a6d526d227413d4fc119f1d215d0eb8 21192 amule_2.2.1-1+lenny2.diff.gz
8fe85603bc4eac331b1bcaa05a597239e3aaa38d 1834186 amule_2.2.1-1+lenny2_i386.deb
0665f4eb6106b6a89f59020f16b8f2a21da97435 441412 amule-utils_2.2.1-1+lenny2_i386.deb
4d8147c825a4ffe0a07a64de3c208aa47a48268b 1282022 amule-utils-gui_2.2.1-1+lenny2_i386.deb
ad525d5a793fe9dd1606350067dc5a0cd4ef880a 1160416 amule-daemon_2.2.1-1+lenny2_i386.deb
5368ec26f28e2011f5c349370d54703f8359ba70 2253976 amule-common_2.2.1-1+lenny2_all.deb
Checksums-Sha256:
39970a7ecba1a5f25f103768766c364fb3e3a554c9101a0eccaca2c5bd59ca2f 1360 amule_2.2.1-1+lenny2.dsc
d3a7c42a4edb8581c08f57d97e114a2d5d9bcd62268bf2221421df3071aa788a 5945095 amule_2.2.1.orig.tar.gz
5b49f9119c51656955cbf786274a1d11d41ff0cb44cca85b7c49224a7bad63f3 21192 amule_2.2.1-1+lenny2.diff.gz
76f3e2405af4f1907dbcb7e8f2159fdd214ac492de96c6a00bc544f6d67a5794 1834186 amule_2.2.1-1+lenny2_i386.deb
709db7c96d1bc4a04d0bc4ee3107591f6011fb195af82963147ec32316815068 441412 amule-utils_2.2.1-1+lenny2_i386.deb
d2f2a1d70648b694ae508be89f419ea7e3e19d6fc5bdd852622f21b73775710a 1282022 amule-utils-gui_2.2.1-1+lenny2_i386.deb
7e53fa8a8f5bfa4355d09becfed4e49447940e651bc8565a83c05d9e52ac2d8b 1160416 amule-daemon_2.2.1-1+lenny2_i386.deb
b971f7ba1179bb6ece39cbef4af9b01ed79ead3270242871a80f05443106eb70 2253976 amule-common_2.2.1-1+lenny2_all.deb
Files:
44eaea8c76492a09197b4764f6602c38 1360 x11 optional amule_2.2.1-1+lenny2.dsc
4af457cf1112cd2c23f133f98d0b1123 5945095 x11 optional amule_2.2.1.orig.tar.gz
cbae4dfde8c2ee4108354ae5a3b33b7c 21192 x11 optional amule_2.2.1-1+lenny2.diff.gz
092acc92d4efd8f8cfcdfc20d91bf1e4 1834186 x11 optional amule_2.2.1-1+lenny2_i386.deb
7d950e97f28fc52a2ad904c97d695647 441412 x11 optional amule-utils_2.2.1-1+lenny2_i386.deb
41cb881f954cfee01544cc79cc637de9 1282022 x11 optional amule-utils-gui_2.2.1-1+lenny2_i386.deb
59a189fcb605d3cd53c25157ac08775e 1160416 x11 optional amule-daemon_2.2.1-1+lenny2_i386.deb
3a393eacd88cbe16e4c6714d244b600c 2253976 x11 optional amule-common_2.2.1-1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko+5ygACgkQ62zWxYk/rQcgwACbB7cX80xZqnv/GG9imn31hW1r
6iIAoLZvLK26fsSs2s9cn0C9EDS5krPW
=ZdCb
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Sat, 27 Jun 2009 16:45:28 GMT) (full text, mbox, link).
Notification sent
to Sam Hocevar <sam@zoy.org>
:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:45:29 GMT) (full text, mbox, link).
Message #49 received at 525078-close@bugs.debian.org (full text, mbox, reply):
Source: amule
Source-Version: 2.2.1-1+lenny2
We believe that the bug you reported is fixed in the latest version of
amule, which is due to be installed in the Debian FTP archive:
amule-common_2.2.1-1+lenny2_all.deb
to pool/main/a/amule/amule-common_2.2.1-1+lenny2_all.deb
amule-daemon_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-daemon_2.2.1-1+lenny2_i386.deb
amule-utils-gui_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_i386.deb
amule-utils_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule-utils_2.2.1-1+lenny2_i386.deb
amule_2.2.1-1+lenny2.diff.gz
to pool/main/a/amule/amule_2.2.1-1+lenny2.diff.gz
amule_2.2.1-1+lenny2.dsc
to pool/main/a/amule/amule_2.2.1-1+lenny2.dsc
amule_2.2.1-1+lenny2_i386.deb
to pool/main/a/amule/amule_2.2.1-1+lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 525078@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated amule package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 21 Jun 2009 06:34:26 +0200
Source: amule
Binary: amule amule-common amule-utils amule-utils-gui amule-daemon
Architecture: source i386 all
Version: 2.2.1-1+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Adeodato Simó <dato@net.com.org.es>
Changed-By: Steffen Joeris <white@debian.org>
Description:
amule - client for the eD2k and Kad networks, like eMule
amule-common - common files for the rest of aMule packages
amule-daemon - non-graphic version of aMule, a client for the eD2k and Kad netwo
amule-utils - utilities for aMule (command-line version)
amule-utils-gui - graphic utilities for aMule
Closes: 525078
Changes:
amule (2.2.1-1+lenny2) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix incomplete escaping of offending characters by including the
single tick (') as well (Closes: #525078)
Fixes: CVE-2009-1440
Checksums-Sha1:
05e57ecee06a46bc64af00728b0ce633a1c8ea99 1360 amule_2.2.1-1+lenny2.dsc
f2aa9e81e5dc06a3a04d8e9b6c3b58432b07d7f6 5945095 amule_2.2.1.orig.tar.gz
56a9683d7a6d526d227413d4fc119f1d215d0eb8 21192 amule_2.2.1-1+lenny2.diff.gz
8fe85603bc4eac331b1bcaa05a597239e3aaa38d 1834186 amule_2.2.1-1+lenny2_i386.deb
0665f4eb6106b6a89f59020f16b8f2a21da97435 441412 amule-utils_2.2.1-1+lenny2_i386.deb
4d8147c825a4ffe0a07a64de3c208aa47a48268b 1282022 amule-utils-gui_2.2.1-1+lenny2_i386.deb
ad525d5a793fe9dd1606350067dc5a0cd4ef880a 1160416 amule-daemon_2.2.1-1+lenny2_i386.deb
5368ec26f28e2011f5c349370d54703f8359ba70 2253976 amule-common_2.2.1-1+lenny2_all.deb
Checksums-Sha256:
39970a7ecba1a5f25f103768766c364fb3e3a554c9101a0eccaca2c5bd59ca2f 1360 amule_2.2.1-1+lenny2.dsc
d3a7c42a4edb8581c08f57d97e114a2d5d9bcd62268bf2221421df3071aa788a 5945095 amule_2.2.1.orig.tar.gz
5b49f9119c51656955cbf786274a1d11d41ff0cb44cca85b7c49224a7bad63f3 21192 amule_2.2.1-1+lenny2.diff.gz
76f3e2405af4f1907dbcb7e8f2159fdd214ac492de96c6a00bc544f6d67a5794 1834186 amule_2.2.1-1+lenny2_i386.deb
709db7c96d1bc4a04d0bc4ee3107591f6011fb195af82963147ec32316815068 441412 amule-utils_2.2.1-1+lenny2_i386.deb
d2f2a1d70648b694ae508be89f419ea7e3e19d6fc5bdd852622f21b73775710a 1282022 amule-utils-gui_2.2.1-1+lenny2_i386.deb
7e53fa8a8f5bfa4355d09becfed4e49447940e651bc8565a83c05d9e52ac2d8b 1160416 amule-daemon_2.2.1-1+lenny2_i386.deb
b971f7ba1179bb6ece39cbef4af9b01ed79ead3270242871a80f05443106eb70 2253976 amule-common_2.2.1-1+lenny2_all.deb
Files:
44eaea8c76492a09197b4764f6602c38 1360 x11 optional amule_2.2.1-1+lenny2.dsc
4af457cf1112cd2c23f133f98d0b1123 5945095 x11 optional amule_2.2.1.orig.tar.gz
cbae4dfde8c2ee4108354ae5a3b33b7c 21192 x11 optional amule_2.2.1-1+lenny2.diff.gz
092acc92d4efd8f8cfcdfc20d91bf1e4 1834186 x11 optional amule_2.2.1-1+lenny2_i386.deb
7d950e97f28fc52a2ad904c97d695647 441412 x11 optional amule-utils_2.2.1-1+lenny2_i386.deb
41cb881f954cfee01544cc79cc637de9 1282022 x11 optional amule-utils-gui_2.2.1-1+lenny2_i386.deb
59a189fcb605d3cd53c25157ac08775e 1160416 x11 optional amule-daemon_2.2.1-1+lenny2_i386.deb
3a393eacd88cbe16e4c6714d244b600c 2253976 x11 optional amule-common_2.2.1-1+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko+5ygACgkQ62zWxYk/rQcgwACbB7cX80xZqnv/GG9imn31hW1r
6iIAoLZvLK26fsSs2s9cn0C9EDS5krPW
=ZdCb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Jul 2009 07:37:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:49:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.