::::: Quatation from NO-IP EMail::::: Security Advisory - 2008-11-22 ------------------------------------------------------------------------------ Summary: Important: No-IP Linux DUC (Dynamic Update Client) An updated version of the No-IP Linux Dynamic Update Client that fixes a security issue is now available. This update has been rated as having important security impact. Description: Versions 2.1.1- > 2.1.8 are prone to a stack-based buffer-overflow due to a boundary error when processing HTTP responses received from the update server. This can be exploited and cause a stack-based buffer overflow when performing an update. A malicious user could exploit this by faking the No-IP update server via DNS poisoning or a man in the middle attack. This can cause a denial of service (client crash) or potentially execute arbitrary code on the computer the client is running on. Users running versions 2.1.8 and older are encouraged to upgrade to the most recent version, 2.1.9 at http://www.no-ip.com/downloads?page=linux&av=1 Regards, The No-IP Team Note: This email was sent from an unmonitored account. If you have any questions or comments please open a trouble ticket at http://www.no-ip.com/ticket Reproducible: Didn't try Actual Results: It's work but you should create manually "/usr/etc" directory.
Created attachment 173310 [details] net-dns/noip-updater-2.1.9
*** Bug 248709 has been marked as a duplicate of this bug. ***
Created attachment 173367 [details] Ebuild in the style of 2.1.7 I've made an ebuild that matches the style of the 2.1.7-r1 ebuild. It required a new patch, which I'll upload next
Created attachment 173368 [details, diff] patch to go with my ebuild
Created attachment 173458 [details] noip-updater-2.1.9 with patched edition.
Created attachment 173460 [details, diff] core source code patch file for noip-2.1.9
Created attachment 173469 [details] File fixed.
Created attachment 173471 [details, diff] File fixed.
Created attachment 173475 [details, diff] Patch file fixed.
oops, I should've checked if there was an ebuild here first. Guys, please check if the updates I posted on the security bug are working for you.
the ebuild I submitted in the security bug has been commited. Please submit an enhancement request if necessary.
Hello Gilles, I do not know it's necessary but I wrote ebuild and patch file. Currently, it works fine and I do not run across any issue. Regards, Behzat. (In reply to comment #11) > the ebuild I submitted in the security bug has been commited. Please submit an > enhancement request if necessary. >