安全研究
安全漏洞
aria2 Metalink文件处理目录遍历漏洞
发布日期:2010-05-13
更新日期:2010-05-14
受影响系统:
Tatsuhiro Tsujikawa aria2 1.9.1 build2不受影响系统:
Tatsuhiro Tsujikawa aria2 1.9.3描述:
BUGTRAQ ID: 40142
CVE ID: CVE-2010-1512
aria2是Linux下的高速下载工具。
aria2没有正确地过滤metalink文件中file元素的name属性,用户受骗下载了设置有特制文件名的metalink文件就会触发目录遍历,导致将文件下载到预期目录之外。
<*来源:Stefan Cornelius
链接:http://secunia.com/secunia_research/2010-71/
http://www.debian.org/security/2010/dsa-2047
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-2047-1)以及相应补丁:
DSA-2047-1:New aria2 packages fix directory traversal
链接:http://www.debian.org/security/2010/dsa-2047
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0.orig.tar.gz
Size/MD5 checksum: 1343630 ae853240ee88e373a138021613e28cb1
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2.dsc
Size/MD5 checksum: 1102 66f40f6d5908ed4caef208b258eb7617
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2.diff.gz
Size/MD5 checksum: 21863 b2b9fec5b9a7eccd68f12ad29804cb9c
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_alpha.deb
Size/MD5 checksum: 1272534 7783017240e59e1f8cd5bbb3bc4fd215
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_amd64.deb
Size/MD5 checksum: 1092380 97206956e1358720fced7b3487727730
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_arm.deb
Size/MD5 checksum: 1207446 af7d180b51ab9129e1241fb26a4b26a6
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_armel.deb
Size/MD5 checksum: 1015996 b9c6fd9eb3029e738389666989f2d639
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_hppa.deb
Size/MD5 checksum: 1261974 f656d07dec19c29d0f122083f753a624
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_i386.deb
Size/MD5 checksum: 1062920 681a52c51e9492c494b9f4f75549881b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_ia64.deb
Size/MD5 checksum: 1481560 7a2c94d39885c2a8ca84d60339aa7c42
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_mips.deb
Size/MD5 checksum: 1159630 2e26a8a5fb8e1d547ce11e6041dba0af
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_mipsel.deb
Size/MD5 checksum: 1150846 6582fbd585d877b014acbec16d3d8f2f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_powerpc.deb
Size/MD5 checksum: 1104136 472f6ab9514e93c143ad770c39c77e4b
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_s390.deb
Size/MD5 checksum: 1027002 c9291e6598c0b4f081749276e3eed79a
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/aria2/aria2_0.14.0-1+lenny2_sparc.deb
Size/MD5 checksum: 1166750 b84d8c95931f2beb5c129f8d3bddaacc
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Tatsuhiro Tsujikawa
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://aria2.sourceforge.net/
浏览次数:3607
严重程度:0(网友投票)
绿盟科技给您安全的保障