Bug 24112

Summary: aria2 new security issue CVE-2019-3500
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://github.com/aria2/aria2/issues/1329
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: aria2-1.34.0-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-01-02 13:27:24 CET 
A CVE has been assigned for a security issue in aria2:
https://www.openwall.com/lists/oss-security/2019/01/02/2

I don't believe there is a fix yet.

Mageia 6 is also affected.
David Walser 2019-01-02 13:27:36 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-02 20:28:10 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => cooker

Comment 2 Nicolas Lécureuil 2019-01-03 00:55:55 CET 
https://github.com/aria2/aria2/issues/1329

See Also: (none) => https://github.com/aria2/aria2/issues/1329
CC: (none) => mageia

Comment 3 Johnny A. Solbu 2019-01-12 02:02:56 CET 
Fixed in cauldron.
Still working on mga6. The patch doesn't fully apply.

Status: NEW => ASSIGNED

Comment 4 Johnny A. Solbu 2019-01-12 02:45:04 CET 
I have uploaded a new mga6 package to 6/core/updates_testing
aria2-1.25.0-1.1.mga6

Source RPM: aria2-1.25.0-1.1.mga6.src.rpm

(I have no idea how you're supposed test this update)

It Fixes CVE-2019-3500

Possible advisory:
It was observed that URL's which gets downloaded via "--log=" attribute
stores sensitive information.
This update fixes that.

Assignee: cooker => qa-bugs

Thomas Backlund 2019-01-12 12:49:00 CET

Version: Cauldron => 6
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)

Comment 5 Herman Viaene 2019-01-14 12:11:32 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Looking for an example, found https://calomel.org/aria2.html
At CLI:
]$ aria2c http://releases.ubuntu.com/12.04.3/ubuntu-12.04.3-server-amd64.iso
 *** Download Progress Summary as of Mon Jan 14 12:02:39 2019 ***                                 
==================================================================================================
[#127edc 216MiB/665MiB(32%) CN:1 DL:3.6MiB ETA:2m4s]
FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso
--------------------------------------------------------------------------------------------------

 *** Download Progress Summary as of Mon Jan 14 12:03:40 2019 ***                                 
==================================================================================================
[#127edc 424MiB/665MiB(63%) CN:1 DL:3.2MiB ETA:1m14s]
FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso
--------------------------------------------------------------------------------------------------

 *** Download Progress Summary as of Mon Jan 14 12:04:40 2019 ***                                 
==================================================================================================
[#127edc 613MiB/665MiB(92%) CN:1 DL:2.8MiB ETA:18s]
FILE: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso
--------------------------------------------------------------------------------------------------

[#127edc 664MiB/665MiB(99%) CN:1 DL:3.3MiB]                                                       
01/14 12:04:56 [NOTICE] Download afgerond: /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
127edc|OK  |   3.3MiB/s|/home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso

Status Legend:
(OK):download completed.
Then
# mount /home/tester6/Downloads/ubuntu-12.04.3-server-amd64.iso  /run/media/tester6/disk/
mount: /dev/loop0 is schrijfbeveiligd en wordt als alleen-lezen aangekoppeld (mounted readonly)
I could view the folders and files in the mounted iso,
So looks OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 PC LX 2019-01-14 14:34:26 CET 
Installed and tested without issues.

Tests including downloading files using:
- HTTP, HTTPS, FTP, FTPS, SFTP, magnet URI for torrent, torrent file. 
- Direct connect only, proxy not tested.
- With and without username/password for HTTP, HTTPS, FTP, FTPS, SFTP.
- Servers used: Pure-FTPd, apache httpd, openssh sshd.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q aria2 
aria2-1.25.0-1.1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Lewis Smith 2019-01-14 20:34:18 CET

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 7 Mageia Robot 2019-01-15 23:16:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0036.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2019-08-11 21:09:47 CEST 
Ubuntu advisory for this from May 6, for reference:
https://usn.ubuntu.com/3965-1/