Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 314551 (CVE-2010-1147)

Summary: <net-p2p/opendchub-0.8.2: Stack-based buffer overflow (CVE-2010-1147)
Product: Gentoo Security Reporter: Tomás Touceda (RETIRED) <chiiph>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: axiator, barzog, net-p2p, pchrist
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1147
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Proposal for ebuild of v0.8.2 none

Description Tomás Touceda (RETIRED) gentoo-dev 2010-04-10 16:52:38 UTC 
As said in [0]:

Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker, 
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.

I'm almost positive this affects 0.7.x version in the tree, the code that handles MyINFO messages seems to be nearly equal in 0.7 and 0.8, and the code that differs I don't see how that could fix this issue. I'm not able to test this though.

It seems that version 0.8.2 fixes the problem.

More info in [1].

[0] https://bugzilla.redhat.com/show_bug.cgi?id=579206
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308
Comment 1 maxb 2010-12-09 17:36:09 UTC 
Created attachment 256746 [details]
Proposal for ebuild of v0.8.2

Please find my ebuild for version 0.8.2. It has some slight modifications to 0.7.15.
Kind regards,
der Max
Comment 2 Oleg Gawriloff 2011-04-05 09:02:16 UTC 
Any news?
Comment 3 Oleg Gawriloff 2011-04-05 09:41:39 UTC 
Available in my overlay (with some corrections regarding missing setup.sh file, also added init.d startup file).
Comment 4 Tim Harder gentoo-dev 2011-08-05 02:45:42 UTC 
I added 0.8.2 to the tree.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 04:34:55 UTC 
(In reply to comment #4)
> I added 0.8.2 to the tree.

Great, thank you.

Arches, please test and mark stable:
=net-p2p/opendchub-0.8.2
Target keywords : "x86"
Comment 6 Myckel Habets 2011-08-18 16:10:38 UTC 
Builds and runs fine for x86. Please mark stable for x86.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 13:58:43 UTC 
x86 stable. Thanks Myckel
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 14:56:23 UTC 
Thanks, folks. GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-20 10:50:47 UTC 
This issue was resolved and addressed in
 GLSA 201311-12 at http://security.gentoo.org/glsa/glsa-201311-12.xml
by GLSA coordinator Sergey Popov (pinkbyte).