aria2: CVE-2019-3500: Metadata and potential password leaks via --log=

Debian Bug report logs - #918058
aria2: CVE-2019-3500: Metadata and potential password leaks via --log=

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: aria2: CVE-2019-3500: Metadata and potential password leaks via --log=

Date: Wed, 02 Jan 2019 21:57:11 +0100

Source: aria2
Version: 1.30.0-2
Severity: normal
Tags: security upstream
Forwarded: https://github.com/aria2/aria2/issues/1329
Control: found -1 1.34.0-3

Hi,

The following vulnerability was published for aria2.

CVE-2019-3500[0]:
| aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic
| Authentication username and password in a file, which might allow local
| users to obtain sensitive information by reading this file.

The security impact is somehow disputable/limited, still reporting it
for tracking purpose with regard of the upstream issue. Once a fix
available it can land in Debian a well.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3500
[1] https://github.com/aria2/aria2/issues/1329

Regards,
Salvatore

Message #14 received at 918058@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 918058@bugs.debian.org

Subject: Re: aria2: CVE-2019-3500: Metadata and potential password leaks via --log=

Date: Fri, 8 Feb 2019 22:54:04 +0100

On Wed, Jan 02, 2019 at 09:57:11PM +0100, Salvatore Bonaccorso wrote:
> Source: aria2
> Version: 1.30.0-2
> Severity: normal
> Tags: security upstream
> Forwarded: https://github.com/aria2/aria2/issues/1329
> Control: found -1 1.34.0-3
> 
> Hi,
> 
> The following vulnerability was published for aria2.
> 
> CVE-2019-3500[0]:
> | aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic
> | Authentication username and password in a file, which might allow local
> | users to obtain sensitive information by reading this file.
> 
> The security impact is somehow disputable/limited, still reporting it
> for tracking purpose with regard of the upstream issue. Once a fix
> available it can land in Debian a well.

Fixed in https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a

Can we get that in before buster?

Cheers,
        Moritz

Message #19 received at 918058-close@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik@debian.org>

To: 918058-close@bugs.debian.org

Subject: Bug#918058: fixed in aria2 1.34.0-4

Date: Thu, 28 Feb 2019 17:49:15 +0000

Source: aria2
Source-Version: 1.34.0-4

We believe that the bug you reported is fixed in the latest version of
aria2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kartik@debian.org> (supplier of updated aria2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Feb 2019 21:06:13 +0530
Source: aria2
Binary: aria2 aria2-dbgsym libaria2-0 libaria2-0-dbgsym libaria2-0-dev
Architecture: source amd64
Version: 1.34.0-4
Distribution: unstable
Urgency: low
Maintainer: Patrick Ruckstuhl <patrick@ch.tario.org>
Changed-By: Kartik Mistry <kartik@debian.org>
Description:
 aria2      - High speed download utility
 libaria2-0 - C++ library interface to aria2
 libaria2-0-dev - High speed download utility (Development files)
Closes: 918058
Changes:
 aria2 (1.34.0-4) unstable; urgency=low
 .
   * debian/control:
     + Added Multi-Arch: same for libaria2-0 and libaria2-0-dev.
   * Added debian/gitlab-ci.
   * Added patch to fix CVE-2019-3500: Metadata and potential password leaks via
     --log= (Closes: #918058)
Checksums-Sha1:
 a469ca0fea092a27dfb2fed8b03d4602e79bb0f1 2166 aria2_1.34.0-4.dsc
 e837a47cf19a028ccf4050c68ac94ec4004fb342 6788 aria2_1.34.0-4.debian.tar.xz
 ad5af28a2575f40b2b73a4df2a697ec6cc9da9dc 50360 aria2-dbgsym_1.34.0-4_amd64.deb
 b918d1aa8375ece348447d30f154e2dde205ff64 7298 aria2_1.34.0-4_amd64.buildinfo
 473445a80a17aa317b38ac244e7797b5ad0cf062 362100 aria2_1.34.0-4_amd64.deb
 279a4235ec7b36352fe5377582c679eff2095683 36799332 libaria2-0-dbgsym_1.34.0-4_amd64.deb
 4aef8c454db505c900c16f7b9ea5245511b3d965 16204 libaria2-0-dev_1.34.0-4_amd64.deb
 6a0e9344e61e3fe2265b1a10f86962217ca5aead 1090920 libaria2-0_1.34.0-4_amd64.deb
Checksums-Sha256:
 a822c84393d88a5229f2ddc053ac99dc1b8f95279ea96a2ee0eef3e8c5989e4b 2166 aria2_1.34.0-4.dsc
 cb567616951eb0c9fed69588a3aadec625b38f1fd153c535e4dc6bbce36fe80a 6788 aria2_1.34.0-4.debian.tar.xz
 13b202b32318bda505ad317b62468c51032ce4cdc31da5e8af572dccaf2cc647 50360 aria2-dbgsym_1.34.0-4_amd64.deb
 53add389783bb64d2370dc1f4b0d3ed81542ea5de351fabbbb641177591610e4 7298 aria2_1.34.0-4_amd64.buildinfo
 08247a5669f22291105041f3c73b9465da3828af1540085f7ccf3b5cf5e5ad7f 362100 aria2_1.34.0-4_amd64.deb
 dbf0b752c72ef3be084ac9981251560d6e5169e42b84b6505ec1cb96783a921d 36799332 libaria2-0-dbgsym_1.34.0-4_amd64.deb
 06eead0ab1d340a5dc740f1296a810f1ff4163e2b512f370411354c436f977b1 16204 libaria2-0-dev_1.34.0-4_amd64.deb
 668684a2a28f5b39e7bdac746c84e4dd297262a69f97b9f5a480f6b317b4ab5b 1090920 libaria2-0_1.34.0-4_amd64.deb
Files:
 e954bd04c58569093a66669e5bbccf9c 2166 net optional aria2_1.34.0-4.dsc
 9c229a27c044d2b9e9310b20408ec7db 6788 net optional aria2_1.34.0-4.debian.tar.xz
 c14abd6d4662f485a73922279958df4c 50360 debug optional aria2-dbgsym_1.34.0-4_amd64.deb
 252e89b3a158de331f9452ce96e32592 7298 net optional aria2_1.34.0-4_amd64.buildinfo
 3178c0625d96cf15aa06da923fcafdd7 362100 net optional aria2_1.34.0-4_amd64.deb
 ba75a995fc57216b83eec5e9e7237c0f 36799332 debug optional libaria2-0-dbgsym_1.34.0-4_amd64.deb
 2a1d7daf1769a1762d2d3e775c69fb4a 16204 libdevel optional libaria2-0-dev_1.34.0-4_amd64.deb
 f5260bc1efce462ea1599f397dc978b0 1090920 libs optional libaria2-0_1.34.0-4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa2MbXvVUr2sRlmKSAsHT8ng6pN4FAlx4Gb8ACgkQAsHT8ng6
pN6Drw/6A32fPZ2DL4pIA1em2NeqGmG0/9KFyIblp3WCgixF/qqQsQWKu0Zth4hB
+CEGKMw/g2rfDZ16EbVVPuY6PNFehBulGlxWiXiUVAHzRSf49K77j8SYeHcvGHCW
pFb3TsgVuVbcu/Fr96Lod0grxDqqvmRd0FzwxsF9SYtkZQiR2dpG4rH0+EqkzvT5
TwOJLOLgXimJsVR6kW3NfYRv2xPMcyuAqNt0egCiF1qWNAJHarsmatv+QLbMPwA4
vQPG/xac/uUyjXvap/e/4ZL5BxGXRYpUi2gtMfyz2CvfIOs+/Bk7iLNCLZ/CiYNr
IKkf4DytuiV75TOtRlb4lveIwFcPIQFNTEax5gwpNC+C0VddGsbwuWNUOV0v3RPy
1GBNhlAmM6OItWPtVM4tYESGtMZOUlnUT+lOw9xrI5ukOnypmtq3taR3P7RWR7Kl
RhBzofS0wsRFT8WObp++SXec1gng4LCKPx4xbVl0cQL2qP7uWioArVFtcMc1kjrv
awsI8CT9E6t/pqmXfHEjAIdleumAwzzhJ99Qhy1ltCx2jUG88fwQoD3JVscLHMy+
z9OwjTWe/Z3ibGKNV/Bo/4vNcRZ6n8AfYjs8o+Z5IZIMAkPnhNm4bdwkFpPud+Uf
eOsU+2yrPWk4sP/89KDt1HgqK7sFO6oLRN5K0UckfipLPqBaoYY=
=SJ7Y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.