Joined: 12 May 2004
|Posted: Wed Sep 09, 2009 5:26 pm Post subject: [ GLSA 200909-06 ] aMule: Parameter injection
|Gentoo Linux Security Advisory
Title: aMule: Parameter injection (GLSA 200909-06)
Date: September 09, 2009
An input validation error in aMule enables remote attackers to pass
arbitrary parameters to a victim's media player.
aMule is an eMule-like client for the eD2k and Kademlia networks,
supporting multiple platforms.
Vulnerable: < 2.2.5
Unaffected: >= 2.2.5
Architectures: All supported architectures
Sam Hocevar discovered that the aMule preview function does not
properly sanitize file names.
A remote attacker could entice a user to download a file with a
specially crafted file name to inject arbitrary arguments to the
victim's video player.
There is no known workaround at this time.
All aMule users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/amule-2.2.5"
Last edited by GLSA on Sun Nov 22, 2009 4:29 am; edited 1 time in total