There is no security risk here as the program isn't setuid. I'm putting the bug here purely because it was found as part of an audit. callbacks.c:101-103: ip_addr = gtk_entry_get_text(GTK_ENTRY(gtk_object_get_data(GTK_OBJECT(user_data),"P_entry"))); if (ip_addr != NULL ) strcat(ftp_options, (gpointer) _(g_strdup_printf(" -P %s", ip_addr))); This is a strcat to a static buffer with no input length check: static char ftp_options[1024]; Pasting over 1024 characters into the IP address field in the standalone section of the GUI and selecting the standalone tick box causes a segfault when doing File->Save, File->Close. There are a few other places in the GUI where this can be done.
I've emailed upstream.
closing bug, its been removed from portage now.
