Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314551 (CVE-2010-1147) - <net-p2p/opendchub-0.8.2: Stack-based buffer overflow (CVE-2010-1147)
Summary: <net-p2p/opendchub-0.8.2: Stack-based buffer overflow (CVE-2010-1147)
Status: RESOLVED FIXED
Alias: CVE-2010-1147
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-10 16:52 UTC by Tomás Touceda (RETIRED)
Modified: 2013-11-20 10:50 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Proposal for ebuild of v0.8.2 (opendchub-0.8.2.ebuild,1.04 KB, text/plain)
2010-12-09 17:36 UTC, maxb
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tomás Touceda (RETIRED) gentoo-dev 2010-04-10 16:52:38 UTC
As said in [0]:

Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker, 
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.

I'm almost positive this affects 0.7.x version in the tree, the code that handles MyINFO messages seems to be nearly equal in 0.7 and 0.8, and the code that differs I don't see how that could fix this issue. I'm not able to test this though.

It seems that version 0.8.2 fixes the problem.

More info in [1].

[0] https://bugzilla.redhat.com/show_bug.cgi?id=579206
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308
Comment 1 maxb 2010-12-09 17:36:09 UTC
Created attachment 256746 [details]
Proposal for ebuild of v0.8.2

Please find my ebuild for version 0.8.2. It has some slight modifications to 0.7.15.
Kind regards,
der Max
Comment 2 Oleg Gawriloff 2011-04-05 09:02:16 UTC
Any news?
Comment 3 Oleg Gawriloff 2011-04-05 09:41:39 UTC
Available in my overlay (with some corrections regarding missing setup.sh file, also added init.d startup file).
Comment 4 Tim Harder gentoo-dev 2011-08-05 02:45:42 UTC
I added 0.8.2 to the tree.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 04:34:55 UTC
(In reply to comment #4)
> I added 0.8.2 to the tree.

Great, thank you.

Arches, please test and mark stable:
=net-p2p/opendchub-0.8.2
Target keywords : "x86"
Comment 6 Myckel Habets 2011-08-18 16:10:38 UTC
Builds and runs fine for x86. Please mark stable for x86.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 13:58:43 UTC
x86 stable. Thanks Myckel
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 14:56:23 UTC
Thanks, folks. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-20 10:50:47 UTC
This issue was resolved and addressed in
 GLSA 201311-12 at http://security.gentoo.org/glsa/glsa-201311-12.xml
by GLSA coordinator Sergey Popov (pinkbyte).