LimeWire: Disclosure of sensitive information — GLSA 200503-37

Two vulnerabilities in LimeWire can be exploited to disclose sensitive information.

Affected packages

net-p2p/limewire on all architectures
Affected versions < 4.8.1
Unaffected versions >= 4.8.1

Background

LimeWire is a Java peer-to-peer client compatible with the Gnutella file-sharing protocol.

Description

Two input validation errors were found in the handling of Gnutella GET requests (CAN-2005-0788) and magnet requests (CAN-2005-0789).

Impact

A remote attacker can craft a specific Gnutella GET request or use directory traversal on magnet requests to read arbitrary files on the system with the rights of the user running LimeWire.

Workaround

There is no known workaround at this time.

Resolution

All LimeWire users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-p2p/limewire-4.8.1"

References

Release date
March 31, 2005

Latest revision
March 31, 2005: 01

Severity
low

Exploitable
remote

Bugzilla entries