blob: 4c21db1c5cd29f489a110fd3e134e48a7a287567 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200503-37">
<title>LimeWire: Disclosure of sensitive information</title>
Two vulnerabilities in LimeWire can be exploited to disclose sensitive
<product type="ebuild">LimeWire</product>
<announced>March 31, 2005</announced>
<revised>March 31, 2005: 01</revised>
<package name="net-p2p/limewire" auto="yes" arch="*">
<unaffected range="ge">4.8.1</unaffected>
<vulnerable range="lt">4.8.1</vulnerable>
LimeWire is a Java peer-to-peer client compatible with the
Gnutella file-sharing protocol.
Two input validation errors were found in the handling of Gnutella
GET requests (CAN-2005-0788) and magnet requests (CAN-2005-0789).
<impact type="low">
A remote attacker can craft a specific Gnutella GET request or use
directory traversal on magnet requests to read arbitrary files on the
system with the rights of the user running LimeWire.
There is no known workaround at this time.
All LimeWire users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-p2p/limewire-4.8.1&quot;</code>
<uri link="">CAN-2005-0788</uri>
<uri link="">CAN-2005-0789</uri>
<uri link="">Secunia Advisory SA14555</uri>
<metadata tag="requester" timestamp="Wed, 30 Mar 2005 14:57:35 +0000">
<metadata tag="bugReady" timestamp="Wed, 30 Mar 2005 14:58:13 +0000">
<metadata tag="submitter" timestamp="Wed, 30 Mar 2005 16:12:57 +0000">