A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes. Reproducible: Didn't try
*** Bug 661692 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed6bd85ba15c5e719e2b77b932b153d529aa622e commit ed6bd85ba15c5e719e2b77b932b153d529aa622e Author: Josiah Mullins <jomull01@protonmail.com> AuthorDate: 2018-10-16 22:47:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-10-22 20:21:40 +0000 net-libs/tox: bump to version 0.2.8 This commit: adds the use flag ipv6 to enable ipv6 tests; removes a line that deleted .la files; src_config() was modified a new maintainer was added in metadata.xml. Bug: https://bugs.gentoo.org/668264 Bug: https://bugs.gentoo.org/629828 Closes: https://bugs.gentoo.org/661692 Signed-off-by: Josiah Mullins <JoMull01@protonmail.com> Package-Manager: Portage-2.3.49, Repoman-2.3.11 Closes: https://github.com/gentoo/gentoo/pull/10161 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-libs/tox/Manifest | 1 + net-libs/tox/metadata.xml | 9 +++- net-libs/tox/tox-0.2.8.ebuild | 99 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 1 deletion(-)
@maintainer(s), older versions are vulnerable and upstream notes that 0.2.8 is the only version which received the fix. Please drop the vulnerable versions from the tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c94441763ab5cdd9739ffe6b97913cc3cdadfa5 commit 4c94441763ab5cdd9739ffe6b97913cc3cdadfa5 Author: Josiah Mullins <jomull01@protonmail.com> AuthorDate: 2018-12-13 23:21:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-12-22 11:43:25 +0000 net-libs/tox: strip vulnerable versions This commit removes all versions of tox prior to version 0.2.8 because those versions were vulnerable to remote DDoS attacks. Also, this commit removes a deprecated use flag in metadata.xml. In addition, this commit adds the requirement that libsodium not be built with the minimal use flag enabled in tox-9999. Closes: https://bugs.gentoo.org/628530 Bug: https://bugs.gentoo.org/668264 Signed-off-by: Josiah Mullins <JoMull01@protonmail.com> Signed-off-by: Josiah Mullins <jomull01@protonmail.com> Closes: https://github.com/gentoo/gentoo/pull/10585 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-libs/tox/Manifest | 2 -- net-libs/tox/metadata.xml | 1 - net-libs/tox/tox-0.1.10.ebuild | 76 ---------------------------------------- net-libs/tox/tox-0.2.5.ebuild | 79 ------------------------------------------ net-libs/tox/tox-9999.ebuild | 2 +- 5 files changed, 1 insertion(+), 159 deletions(-)
