Secunia: Description: A weakness has been reported in DC++, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to a NULL pointer dereference error when handling partial file list requests and can be exploited to cause the application to crash. The weakness is reported in versions prior to 0.707 (Unstable). Solution: The vendor has released version 0.707 (Unstable). Provided and/or discovered by: The vendor credits crise. Original Advisory: http://sourceforge.net/project/shownotes.php?release_id=608612&group_id=40287
Steven Sheehy of linuxdcpp writes: It does affect linuxdcpp. I have just committed a fix to cvs for this issue. We are hoping to release a new version sometime next month. http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/ShareManager.cpp.diff?r1=1.14&r2=1.15&sortby=date
Upstream fix applied in net-p2p/linuxdcpp-1.0.1-r1.
Sorry for not noting earlier, there is another remote DoS: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/NmdcHub.cpp.diff?r1=1.14&r2=1.15&sortby=date
Arf, sorry, I actually noted it and for some reason missed its inclusion. Now included in 1.0.1-r2. I hope there's no third because I'll go to bed soon ;-)
Arches, please test and mark stable: =net-p2p/linuxdcpp-1.0.1-r2 Target keywords : "amd64 x86"
x86 stable
amd64 stable, vulnerable version removed from the tree.
glsa vote... client DoS, I vote NO.
NO, closing.
