Gentoo Logo

aria2: Multiple vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201001-06 / aria2
Release Date January 13, 2010
Latest Revision January 13, 2010: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-misc/aria2 < 1.6.3 >= 1.6.3 All supported architectures

Related bugreports: #288291


A buffer overflow and a format string vulnerability in aria2 allow remote attackers to execute arbitrary code.

2.  Impact Information


aria2 is a download utility with resuming and segmented downloading with HTTP/HTTPS/FTP/BitTorrent support.


Tatsuhiro Tsujikawa reported a buffer overflow in (CVE-2009-3575) and a format string vulnerability in the AbstractCommand::onAbort() function in src/ (CVE-2009-3617).


A remote, unauthenticated attacker could possibly execute arbitrary code with the privileges of the user running the application or cause a Denial of Service (application crash).

3.  Resolution Information


Do not use DHT (CVE-2009-3575) and disable logging (CVE-2009-3617).


All aria2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/aria2-1.6.3"

4.  References


Page updated January 13, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.