Bug 1120488 - (CVE-2019-3500) VUL-1: CVE-2019-3500: aria2: metadata and potential password leaks via --log=
(CVE-2019-3500)
VUL-1: CVE-2019-3500: aria2: metadata and potential password leaks via --log=
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.0
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Martin Pluskal
Security Team bot
https://smash.suse.de/issue/221964/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-02 12:29 UTC by Alexander Bergmann
Modified: 2019-04-04 22:50 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-01-02 12:29:07 UTC
CVE-2019-3500

aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.

References:
https://github.com/aria2/aria2/issues/1329
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3500
Comment 1 Swamp Workflow Management 2019-01-09 14:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1120488) was mentioned in
https://build.opensuse.org/request/show/664102 Factory / aria2
https://build.opensuse.org/request/show/664104 15.0+42.3+Backports:SLE-15 / aria2
Comment 2 Andreas Stieger 2019-01-10 20:00:10 UTC
The Leap 42.3 portion does not build due to it requiring a newer version of libuv:
nothing provides pkgconfig(libuv) >= 1.13
1.6.1 is shipped there, this bump in not binary compatible.

The spec change drops the libuv conditional. Consider a submission with only aria2-CVE-2019-3500.patch added, see https://build.opensuse.org/request/show/664450
Comment 3 Swamp Workflow Management 2019-01-10 20:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1120488) was mentioned in
https://build.opensuse.org/request/show/664452 15.0+42.3+Backports:SLE-15 / aria2
Comment 4 Andreas Stieger 2019-01-13 19:55:51 UTC
done
Comment 5 Swamp Workflow Management 2019-01-13 23:11:01 UTC
openSUSE-SU-2019:0050-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1120488
CVE References: CVE-2019-3500
Sources used:
openSUSE Leap 42.3 (src):    aria2-1.24.0-4.4.1
openSUSE Leap 15.0 (src):    aria2-1.33.1-lp150.2.4.1
openSUSE Backports SLE-15 (src):    aria2-1.33.1-bp150.3.7.1