From ${URL} : | There's an off-by-one error in libcapsinetwork network handling code, | which was merged into monopd in version 0.9.4. | | From src/listener.cpp, Listener::checkActivity(): | | #define MAXLINE 1024 | [...] | char *readBuf = new char[MAXLINE]; | int n = read((*it)->fd(), readBuf, MAXLINE); | if (n <= 0) // socket was closed | { | (*it)->setStatus(Socket::Closed); | delete[] readBuf; | return; // notification is (still) in earlier iteration | } | readBuf[n] = 0; | | With an input line longer than 1023, this will write zero at readBuf[1024] | which is out of bounds. <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781043> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781044> @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream patched the issue via https://cgit.tuxfamily.org/gtkatlantic/atlanticd.git/commit/src/listener.cpp?id=0153128170c07ebf2e05346d0f2229e3abb7aeda $ git tag --contains 0153128170c07ebf2e05346d0f2229e3abb7aeda | sort monopd-0.10.0 monopd-0.10.1 monopd-0.10.2 monopd-0.9.8 v0.9.8 was in Gentoo repository https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/games-server/monopd/monopd-0.9.8.ebuild?view=log Current stable version in Gentoo repository is =games-server/monopd-0.10.2 and no vulnerable version left. So nothing left to do for us. @ Security: I am suggesting to drop rating to C and maybe apply minor rating based on the comment https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781043#5 quoting Florian Weimer.
No PoC to consider this as a severity of 2 (RCE). As such, re-designating. GLSA Vote: No