Bug 204063

Summary:	media-sound/mt-daapd <= 0.2.4.1 remote DoS
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED NEEDINFO
Severity:	minor	CC:	akshayushah, sound
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [upstream]
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2008-01-02 15:07:03 UTC

I have seen bug 200110, but Luigi Auriemma's advisory seems to be another issue.

C] duplicated HTTP parameter Denial of Service
D] CPU at 100% with partial queries

http://aluigi.altervista.org/adv/fireflyz-adv.txt

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-06 22:23:49 UTC

According to the advisory, this will be fixed in the next release.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2008-07-07 19:37:07 UTC

It appears that 0.2.4.2 is still affected by the duplicate parameter issue, at least the poc took the cpu to 100% a few times.
Can someone verify this please.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 18:19:20 UTC

upstream states:

Item C I can replicate against both stable code and current svn.

> D] CPU at 100% with partial queries

This I can't replicate against stable code, or on current svn.  It  
likely represents an issue in some version of svn, although socket  
handling and timeout stuff has been in flux lately, so I'm not sure  
what version this represents an issue with.