Gentoo Logo

aria2: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201001-06 / aria2
Release Date January 13, 2010
Latest Revision January 13, 2010: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/aria2 < 1.6.3 >= 1.6.3 All supported architectures

Related bugreports: #288291

Synopsis

A buffer overflow and a format string vulnerability in aria2 allow remote attackers to execute arbitrary code.

2.  Impact Information

Background

aria2 is a download utility with resuming and segmented downloading with HTTP/HTTPS/FTP/BitTorrent support.

Description

Tatsuhiro Tsujikawa reported a buffer overflow in DHTRoutingTableDeserializer.cc (CVE-2009-3575) and a format string vulnerability in the AbstractCommand::onAbort() function in src/AbstractCommand.cc (CVE-2009-3617).

Impact

A remote, unauthenticated attacker could possibly execute arbitrary code with the privileges of the user running the application or cause a Denial of Service (application crash).

3.  Resolution Information

Workaround

Do not use DHT (CVE-2009-3575) and disable logging (CVE-2009-3617).

Resolution

All aria2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/aria2-1.6.3"

4.  References

Print

Page updated January 13, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.