Debian Security Advisory
DSA-1821-1 amule -- insufficient input sanitising
- Date Reported:
- 22 Jun 2009
- Affected Packages:
- amule
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 525078.
In Mitre's CVE dictionary: CVE-2009-1440. - More information:
-
Sam Hocevar discovered that amule, a client for the eD2k and Kad networks, does not properly sanitise the filename, when using the preview function. This could lead to the injection of arbitrary commands passed to the video player.
The oldstable distribution (etch) is not affected by this issue.
For the stable distribution (lenny), this problem has been fixed in version 2.2.1-1+lenny2.
For the testing distribution (squeeze) this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 2.2.5-1.1.
We recommend that you upgrade your amule packages.
- Fixed in:
-
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.diff.gz
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.dsc
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/a/amule/amule-common_2.2.1-1+lenny2_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_alpha.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_amd64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_arm.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_arm.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_arm.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_arm.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_armel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_armel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_armel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_armel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_hppa.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_i386.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_i386.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_i386.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_i386.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_ia64.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_mips.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mips.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_mips.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_mips.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_mipsel.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_powerpc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_s390.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_s390.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_s390.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_s390.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/a/amule/amule_2.2.1-1+lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils-gui_2.2.1-1+lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-utils_2.2.1-1+lenny2_sparc.deb
- http://security.debian.org/pool/updates/main/a/amule/amule-daemon_2.2.1-1+lenny2_sparc.deb
MD5 checksums of the listed files are available in the original advisory.