Vulnerability

    gnapster

Affected

    Those using gnapster 1.3.8 or earlier

Description

    Following is  based on  FreeBSD Security  Report.   Gnapster is  a
    client for the  Napster file-sharing network.   The gnapster  port
    (version 1.3.8 and earlier) contains a vulnerability which  allows
    remote gnapster users to view  any file on the local  system which
    is accessible to the user running gnapster.  Gnapster does not run
    with  elevated  privileges,  so  it  is  only  the  user's regular
    filesystem   access   permissions   which   are   involved.   This
    vulnerability  was  discovered  at  the  Center  for Education and
    Research in Information Assurance and Security (CERIAS) at  Purdue
    University by Tom Daniels, Florian Buchholz and James Early.

    The gnapster port is not installed by default, nor is it "part  of
    FreeBSD" as  such: it  is part  of the  FreeBSD ports  collection,
    which   contains   over   3200   third-party   applications  in  a
    ready-to-install  format.   The  ports  collection  shipped   with
    FreeBSD 4.0 contains  this problem since  it was discovered  after
    the release.

    Remote users  can view  files accessible  to the  user running the
    gnapster client.  If you  have not chosen to install  the gnapster
    port/package, then your system is not vulnerable to this  problem.
    It is  possible for  anyone to  obtain any  user-readable file  by
    sending a  properly formed  "GET" command  that contains  the full
    path  of  the  file.   This  vulnerability exists because Gnapster
    fails to  check that  the requested  file is  an explicitly shared
    MP3 file  before providing  it.   Anyone running  Gnapster version
    1.3.8 or  earlier is  vulnerable.   Given the  IP address  and TCP
    port of a  vulnerable client, an  attacker can send  a request for
    an arbitrary file to  the Gnapster client.   If the user has  read
    access  to  the  file,  the  client  will  then  respond  with the
    contents of the file.

Solution

    Deinstall the gnapster port/package, if you you have installed it.
    Solution is one of the following:

        1) Upgrade  your  entire  ports  collection  and  rebuild  the
           gnapster port.
        2) Reinstall a  new package dated  after the correction  date,
           obtained from:
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/gnapster-1.3.9.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/gnapster-1.3.9.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/gnapster-1.3.9.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/gnapster-1.3.9.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/gnapster-1.3.9.tgz
        3) download a new port skeleton for the gnapster port from:
               http://www.freebsd.org/ports/
           and use it to rebuild the port.

    For others, go for:

        http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz