from upstream changelog: storedPlaylist: prevent potential DoS from stored playlist commands While mpd has always protected against the infinite expansion of the main playlist by limiting its size in memory, however the new storedPlaylist code has never checked for this limit. Malicious (or clumsy) users could repeatedly append songs to stored playlists, causing files to grow increasingly large on disk. Attempting to load extremely large files into memory will require mpd to slurp that all into memory, and ultimately the file would be unusable by mpd because of the configurable playlist size limit. Now we limit stored playlists to the max_playlist_length configuration variable set by the user (default is 16384). We will refuse to append to playlist files if they hit that limit; and also refuse to load more than the specified amount of songs into memory. this is
Arches, please test and mark stable media-sound/mpd-0.13.1. Target keywords are "amd64 arm hppa ppc ppc64 sh sparc x86 ~x86-fbsd".
Stable for HPPA.
x86 stable
WFM@AMD64 Passes tests, collision-protect, multilib-strict. Works. -- Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r6 x86_64) ================================================================= System uname: 2.6.23-gentoo-r6 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-50 Timestamp of tree: Sun, 03 Feb 2008 20:16:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms sign strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac aalib acl acpi alsa amd64 arts bash-completion bitmap-fonts bzip2 cdda cdparanoia cdr cgi cli cracklib crypt cups curl cvs dbus directfb divx dri dts dvd dvdnav dvdr dvdread encode exif fastcgi fbcon ffmpeg firefox fortran ftp fuse gcj gd gdbm gif glitz glut gmail gnutls gpm gstreamer gtk gtk2 hal history hou httpd iconv icq imagemagick imap ipv6 isdnlog jabber jack java jpeg jpeg2k kde kdm keyring lm_sensors maildir matroska mbox midi mime mmx mod mozdevelop mp3 mpd mpeg mplayer mudflap musepack mysql mysqli ncurses network nntp nptl nptlonly nsplugin nvidia offensive ogg opengl openmp openvpn oscar pam pcmcia pcre pdf png pop pppd python qt3 qt3support qt4 quicktime readline reflection rtsp sdl sdl-image session shout skins smp sou spl sql sse sse2 ssl statistics stream subversion svg symlink taglib tcpd threads tiff tk truetype truetype-fonts type1-fonts unicode usb v4l vcd vim-syntax vlm vorbis webdav widescreen wifi x264 xcomposite xinerama xml xorg xosd xscreensaver xvid xvmc zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable
ppc64 stable
ppc stable
Adding release@
sparc stable
This is B3 and thus needs a vote first.
I vote NO.
voting NO too, and closing.
Fixed in release snapshot.
