Bug 605937 - (CVE-2010-1512) VUL-0: CVE-2010-1512: aria2: metalink name Directory Traversal Vulnerability
(CVE-2010-1512)
VUL-0: CVE-2010-1512: aria2: metalink name Directory Traversal Vulnerability
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.2:33793
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-14 13:25 UTC by Thomas Biege
Modified: 2016-04-15 11:56 UTC (History)
6 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-05-14 13:25:17 UTC
Hi.
There is a security bug in package 'aria2'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://aria2.sourceforge.net/

CVE number: CVE-2010-1512
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1512

Original posting:




----------  Forwarded Message  ----------

Subject: [Full-disclosure] Secunia Research: aria2 metalink "name" Directory 
Traversal Vulnerability
Date: Donnerstag 13 Mai 2010, 15:25:31
From: Secunia Research <remove-vuln@secunia.com>
An:  full-disclosure@lists.grok.org.uk

====================================================================== 

                     Secunia Research 13/05/2010

     - aria2 metalink "name" Directory Traversal Vulnerability -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* aria2 1.9.1 build2

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately critical
Impact: System access
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"aria2 is a lightweight multi-protocol & multi-source, cross platform
download utility operated in command-line.".

Product Link:
http://aria2.sourceforge.net/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in aria2, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the application not properly
sanitising the "name" attribute of the "file" element of metalink
files before using it to download files. If a user is tricked into
downloading from a specially crafted metalink file, this can be
exploited to download files to directories outside of the intended
download directory via directory traversal attacks.

====================================================================== 
5) Solution 

Update to version 1.9.3.

====================================================================== 
6) Time Table 

30/04/2010 - Vendor notified.
01/05/2010 - Vendor response.
13/05/2010 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Stefan Cornelius, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2010-1512 for the vulnerability.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-71/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

_______________________________________________
Comment 4 Thomas Biege 2010-05-17 10:00:06 UTC
Hello Pascal,
would you like to take over from Michael to fix this security bug?
Comment 5 Pascal Bleser 2010-05-19 20:02:56 UTC
I'm a bit puzzled on this one.

Upgrading from 1.8.2 to 1.9.3 is quite a steep jump and would possibly introduce new bugs or minor changes in behavior, even though aria2 has shown a pretty strong record in terms of stability and compatibility so far.

I had a shot at backporting the vulnerability fix from upstream by trying to manually apply parts of the diff from 1.9.2 to 1.9.3, but it would require more work to isolate the fix into something self-contained, as the internal APIs have changed a bit. A more full-blown port of the diff from 1.9.2 to 1.9.3 requires more changes at a few critical places, something I don't feel comfortable with either and, in that case, we might as well directly go with 1.9.3.

So.. erm.. I'm still a bit undecided, will try harder to isolate a fix, but not with an unreasonable amount of effort nor time.
Comment 6 Thomas Biege 2010-05-20 14:02:48 UTC
Normally we back-port fixes. Especially when the (external) behavior and/or API changes.

Other distros are can be a good source for extracting back-ported patches.
Comment 7 Thomas Biege 2010-05-20 14:04:26 UTC
see also http://wiki.opensuse.org/openSUSE:Package_maintenance

This will be enhanced with information for security updates shortly.
Comment 8 Pascal Bleser 2010-05-22 10:06:31 UTC
After considering the options, I decided to go with an upgrade to 1.9.3: I believe it is a higher risk to make a non-trivial patch against 1.8.x (which we would be the only ones to use, Debian is on a much older release and Fedora has upgraded to 1.9.3 too, including on older Fedora releases) than upgrading to the latest upstream version, where the issue has been fixed by the authors.

I just pushed 1.9.3 to openSUSE:11.2:Update:Test/aria2 with SR 40497

Would someone in the security team take care of the patchinfo ? (I don't have a SWAMP ID, nor can I create one myself, at least as far as I know)
Comment 9 Thomas Biege 2010-05-25 11:58:21 UTC
yast2 depends heavily on aria2 therefore we need to make 100%-ly sure that the aria2 version upgrade does not break yast2 code. Did the API change?

Is openSUSE 11.1 and 11.3/Factory affected too?
Comment 10 Pascal Bleser 2010-05-26 18:58:12 UTC
I'm very aware of that :)

I'd have to check which flags the zypp stack passes to aria2, but the "API" (the CLI interface) didn't actually change from 1.8.2 to 1.9.3.

I did an "aria2c --help" with both versions (1.8.2 and 1.9.3) and diffed the output: no change at all.

Of course, other, more subtle things might affect zypp, hence the only way to make sure is to do a call for testing. Seems something is fishy at the moment as there are no aria2 packages in http://download.opensuse.org/repositories/openSUSE:/11.2:/Update:/Test/standard/ but I can't check right now, OBS is giving us 500

And, yes, all openSUSE versions are affected as the CVE is only fixed in 1.9.3.
That would actually be even trickier.

Factory currently uses 1.9.1 and there is no CLI API change either.

openSUSE 11.1 has aria2-0.16.0, which is quite old, where I could probably roll a patch instead (Debian has a patch against 0.14).
There are quite a few changes from 0.16.0 to 1.9.3, but the CLI API seems to be backwards compatible (at least from looking at a diff). Nevertheless, I'll rather do a patch to stay with 0.16.0 there.
Comment 11 Pascal Bleser 2010-05-26 22:16:34 UTC
In the mean time, I've built packages in my own staging projects for testing.

* aria2-1.9.3 for openSUSE 11.2 (version upgrade):
http://download.opensuse.org/repositories/home:/pbleser:/staging:/security:/11.2/openSUSE_11.2/
(same as in network:utilities, but built in isolation)

* aria2-0.16.0 for openSUSE 11.1 (patched, based on [1]):
http://download.opensuse.org/repositories/home:/pbleser:/staging:/security:/11.1/openSUSE_11.1/

[1]http://freshmeat.net/articles/debian-new-aria2-packages-fix-directory-traversal

Factory should simply upgrade to 1.9.3.

The patch against 0.16.0 is available there:
https://api.opensuse.org/public/source/home:pbleser:staging:security:11.1/aria2/aria2-0.16.0-CVE-2010-1512.patch
Comment 12 Thomas Biege 2010-05-27 11:54:36 UTC
Pascal,
thanks a lot.

Coolo,
is the version upgrade of aria2 ok for you?
Comment 13 Stephan Kulow 2010-05-27 12:16:46 UTC
for factory? Sounds okay. For the rest, the maintenance team has to decide.
Comment 14 Thomas Biege 2010-05-27 12:37:59 UTC
Anja,
what do you think? Sholdl we do it but with additional tests for openSUSE?
Comment 15 Pascal Bleser 2010-05-28 08:17:32 UTC
Just to clarify again: the drawback of backporting/patching compared to upgrading is that we need to do the patch on our own, and it's not trivial because while the API and CLI remained the same (from 1.8.x to 1.9.3), the code inside changed a lot. Comparing that risk with upgrading to 1.9.3 which is maintained upstream, I personally believe it's less risky to go with 1.9.3. But that's just my personal engineering 0.02€ ;)
Comment 16 Christian Dengler 2010-05-28 09:59:33 UTC
Hi Jiri,
what is your opinion from the yast side here? Any doubts that it is too dangerous?
Comment 17 Jiri Srain 2010-05-31 11:36:36 UTC
I'm not aware of YaST relying on aria except libzypp, which should not be an issue. Therefore, as long as it is QAed, I'm fine with version upgrade.
Comment 18 Marcus Meissner 2010-05-31 12:47:34 UTC
As we use the CLI I see it as not that dangerous.

Should get 1 or 2 weeks of testing in public-test however.
Comment 19 Christian Dengler 2010-05-31 13:34:39 UTC
Ok, lets do this upgrade with QA-testing + 2 weeks in update-test.

There is already an open running SwampID for aria2: 33321
Comment 20 Pascal Bleser 2010-06-04 06:58:25 UTC
Could someone then please accept SR 40497 ?

 40497  State:new     By:pbleser      When:2010-05-22T12:05:28
        submit:       home:pbleser:branches:openSUSE:11.2:Update:Test/aria2  ->  openSUSE:11.2:Update:Test   
        Descr: upgrade to 1.9.3 to fix bnc#605937 CVCVE-2010-1512

(OK, there's a typo in the Descr ;))
Comment 21 Swamp Workflow Management 2010-06-04 07:02:28 UTC
The SWAMPID for this issue is 33321.
This issue was rated as important.
Please submit fixed packages as soon as possible.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 22 Marcus Meissner 2010-06-04 07:07:19 UTC
you need to tell us (security team) in the bugreport after you submit such updates, we are not watching the submit requests 

I submitted a patchinfo for 11.2
Comment 23 Marcus Meissner 2010-06-04 07:43:30 UTC
is the 11.1 also good? the patch at least looks process wise acceptable
Comment 24 Swamp Workflow Management 2010-06-24 16:22:10 UTC
Update released for: aria2, aria2-debuginfo, aria2-debugsource
Products:
openSUSE 11.2 (debug, i586, x86_64)
Comment 25 Marcus Meissner 2010-06-24 16:23:06 UTC
11.1 update?
Comment 26 Dirk Mueller 2010-07-16 18:23:09 UTC
Pascal?
Comment 27 Dirk Mueller 2010-08-24 08:02:32 UTC
Pascal, whats the status with the fix for 11.1?
Comment 28 Pascal Bleser 2010-08-31 18:49:03 UTC
Oh my, I thought it was applied already.

I just submitted SR 46852 against openSUSE:11.1:Update:Test (from my branch).

I guess that you guys take it from here. If not, please let me know what else I need to do.

Mea culpa, mea maxima culpa.
Comment 29 Ludwig Nussel 2010-09-01 07:33:57 UTC
thanks
Comment 30 Ludwig Nussel 2010-09-01 13:27:49 UTC
the submission was declined
Comment 31 Pascal Bleser 2010-09-01 22:05:32 UTC
ro@suse.de made changes to openSUSE:11.1:Update/aria2 without going through openSUSE:11.1:Update:Test/aria2 first, apparently, which is why it was rejected.

I manually copied his changes from Update to Update:Test and redid my patch and request, it's now SR 46922
Comment 32 Ludwig Nussel 2010-09-02 07:05:38 UTC
dirty autobuild hacks ... *grmbl* thanks for resolving the issue nevertheless
Comment 33 Pascal Bleser 2010-09-02 11:29:44 UTC
And, of course, with all that shmoo, I forgot to actually apply the patch.

After slapping myself, I revoked SR 46922, fixed the .spec, and re-submitted.
Now it's SR 46989
Comment 34 Swamp Workflow Management 2010-09-13 11:22:04 UTC
Update released for: aria2, aria2-debuginfo, aria2-debugsource
Products:
openSUSE 11.1 (debug, i586, ppc, x86_64)
Comment 35 Swamp Workflow Management 2010-09-13 11:22:24 UTC
released
Comment 36 Bernhard Wiedemann 2016-04-15 11:44:53 UTC
This is an autogenerated message for OBS integration:
This bug (605937) was mentioned in
https://build.opensuse.org/request/show/40497 11.2:Test / aria2
https://build.opensuse.org/request/show/46989 11.1:Test / aria2