blob: 4d6b6ab163079364598b65efafc598368d4cdffa [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200903-36">
<title>MLDonkey: Information disclosure</title>
A vulnerability in the MLDonkey web interface allows remote attackers to
disclose arbitrary files.
<product type="ebuild">mldonkey</product>
<announced>March 23, 2009</announced>
<revised>March 23, 2009: 01</revised>
<package name="net-p2p/mldonkey" auto="yes" arch="*">
<unaffected range="ge">3.0.0</unaffected>
<vulnerable range="lt">3.0.0</vulnerable>
MLDonkey is a multi-network P2P application written in Ocaml, coming
with its own Gtk GUI, web and telnet interface.
Michael Peselnik reported that src/utils/lib/ in the web
interface of MLDonkey does not handle file names with leading double
slashes properly.
<impact type="normal">
A remote attacker could gain access to arbitrary files readable by the
user running the application.
Disable the web interface or restrict access to it.
All MLDonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-p2p/mldonkey-3.0.0&quot;</code>
<uri link="">CVE-2009-0753</uri>
<metadata tag="requester" timestamp="Sun, 22 Mar 2009 20:26:47 +0000">
<metadata tag="submitter" timestamp="Sun, 22 Mar 2009 20:38:08 +0000">
<metadata tag="bugReady" timestamp="Sun, 22 Mar 2009 22:00:11 +0000">