[Secure-testing-team] Bug#525078: insufficient path escaping when opening fies

Sam Hocevar sam at zoy.org
Tue Apr 21 22:42:30 UTC 2009 

Package: amule
Version: 2.2.4-1+b1
Severity: normal
Tags: security upstream

   src/DownloadListCtrl.cpp does the following (code edited for
clarification):

command = wxT("xterm -T \"aMule Preview\" -iconic -e mplayer '$file'");
[...]
wxString rawFileName = file->GetFullName().GetRaw();
command.Replace(wxT("$file"), rawFileName);
[...]
wxExecute(command, wxEXEC_ASYNC, p);

   Although file->GetFullName() is sanitised by removing :/<> and
probably other characters, the single tick (') is neither filtered
away nor escaped. Thus it is possible to craft a file name that
passes remotely defined arguments to the video player.

   A side effect is that it is impossible to open a downloaded file that
has a "'" character in its name.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28.7 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages amule depends on:
ii  amule-common           2.2.4-1           common files for the rest of aMule
ii  libc6                  2.9-7             GNU C Library: Shared libraries
ii  libcrypto++8           5.6.0-1           General purpose cryptographic libr
ii  libgcc1                1:4.3.3-8         GCC support library
ii  libgeoip1              1.4.6.dfsg-2      A non-DNS IP-to-country resolver l
ii  libstdc++6             4.3.3-8           The GNU Standard C++ Library v3
ii  libupnp3               1:1.6.6-3         Portable SDK for UPnP Devices (sha
ii  libwxbase2.8-0         2.8.7.1-1.1       wxBase library (runtime) - non-GUI
ii  libwxgtk2.8-0          2.8.7.1-1.1       wxWidgets Cross-platform C++ GUI t
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages amule recommends:
ii  amule-utils                   2.2.4-1+b1 utilities for aMule (command-line 

Versions of packages amule suggests:
ii  amule-utils-gui               2.2.4-1+b1 graphic utilities for aMule

-- no debconf information

More information about the Secure-testing-team mailing list