From the Secunia advisory at $URL: Description Some vulnerabilities have been discovered in echoping, which can be exploited by malicious people to potentially compromise a user's system. 1) A boundary error exists within the "TLS_readline()" function in readline.c, which can be exploited to overflow a global buffer by sending an overly long encrypted HTTP reply to echoping. Successful exploitation requires that echoping is compiled with GNU TLS support. 2) A boundary error exists within the "SSL_readline()" function in readline.c, which can be exploited to overflow a global buffer by sending an overly long encrypted HTTP reply to echoping. Successful exploitation requires that echoping is compiled with SSL support. The vulnerabilities are confirmed in version 6.0.2. Other versions may also be affected.
Looks like [1] which has a patch attached. [1] http://sourceforge.net/tracker/?func=detail&aid=3137686&group_id=4581&atid=104581
@maintainers: ping, patching would be nice.
I'm preparing a new ebuild based on an SVN snapshot.
Arch teams, please test and mark stable: =net-analyzer/echoping-6.0.2_p434 Targeted stable KEYWORDS : amd64 x86
amd64 stable
Builds and runs fine on x86. Please mark stable for x86.
x86 stable
Thanks for you work. GLSA request filed.
CVE number was reassigned - now this is CVE-2010-5111 Confirmation - http://www.openwall.com/lists/oss-security/2013/10/21/9
This issue was resolved and addressed in GLSA 201406-07 at http://security.gentoo.org/glsa/glsa-201406-07.xml by GLSA coordinator Sergey Popov (pinkbyte).