As said in :
Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker,
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.
I'm almost positive this affects 0.7.x version in the tree, the code that handles MyINFO messages seems to be nearly equal in 0.7 and 0.8, and the code that differs I don't see how that could fix this issue. I'm not able to test this though.
It seems that version 0.8.2 fixes the problem.
More info in .
Created attachment 256746 [details]
Proposal for ebuild of v0.8.2
Please find my ebuild for version 0.8.2. It has some slight modifications to 0.7.15.
Available in my overlay (with some corrections regarding missing setup.sh file, also added init.d startup file).
I added 0.8.2 to the tree.
(In reply to comment #4)
> I added 0.8.2 to the tree.
Great, thank you.
Arches, please test and mark stable:
Target keywords : "x86"
Builds and runs fine for x86. Please mark stable for x86.
x86 stable. Thanks Myckel
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in
GLSA 201311-12 at http://security.gentoo.org/glsa/glsa-201311-12.xml
by GLSA coordinator Sergey Popov (pinkbyte).