I ran into this exploit: JAD java Decompiler 1.5.8e - Local Buffer Overflow https://www.exploit-db.com/exploits/42076/ If it works, maybe package.mask the package?
(In reply to Sebastian Pipping from comment #0) > If it works, maybe package.mask the package? There's not much else you can do, short of last-riting it. It's proprietary and upstream is dead.
Thanks for the report. package.mask / lastrite is the way to go, I have a personal preference for the latter, if non-maintained maybe it fits better in an overlay. Please note reverse dependencies (behind jad use flag) for dev-lisp/abcl
CC'ing treecleaners to proceed with removal. * These packages depend on dev-java/jad-bin: dev-lisp/abcl-0.0.9-r1 (jad ? dev-java/jad-bin) dev-lisp/abcl-0.20.0 (jad ? dev-java/jad-bin)
linked is a long commandline buffer overflow on a non-setuid. I don't see many realistic vectors of feeding an 8k+ argument to the jad binary. This bug has been known since 2010. Regardless of course there are other bugs, and upstream is dead.
removed