CVE-2021-45848: Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. Patch: https://github.com/nicotine-plus/nicotine-plus/commit/0e3e2fac27a518f0a84330f1ddf1193424522045 Please stabilize 3.2.1.
Please cleanup, thanks!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67bf62274406a6ce154207e7195df5668a4f9311 commit 67bf62274406a6ce154207e7195df5668a4f9311 Author: Piotr Karbowski <slashbeast@gentoo.org> AuthorDate: 2022-10-19 19:40:29 +0000 Commit: Piotr Karbowski <slashbeast@gentoo.org> CommitDate: 2022-10-19 19:40:29 +0000 net-p2p/nicotine+: drop old. Closes: https://bugs.gentoo.org/835374 Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org> net-p2p/nicotine+/Manifest | 4 ---- net-p2p/nicotine+/nicotine+-2.2.2.ebuild | 41 -------------------------------- net-p2p/nicotine+/nicotine+-3.1.1.ebuild | 41 -------------------------------- net-p2p/nicotine+/nicotine+-3.2.0.ebuild | 41 -------------------------------- net-p2p/nicotine+/nicotine+-3.2.1.ebuild | 41 -------------------------------- 5 files changed, 168 deletions(-)
(In reply to Larry the Git Cow from comment #2) > The bug has been closed via the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=67bf62274406a6ce154207e7195df5668a4f9311 > > commit 67bf62274406a6ce154207e7195df5668a4f9311 > Author: Piotr Karbowski <slashbeast@gentoo.org> > AuthorDate: 2022-10-19 19:40:29 +0000 > Commit: Piotr Karbowski <slashbeast@gentoo.org> > CommitDate: 2022-10-19 19:40:29 +0000 > > net-p2p/nicotine+: drop old. > > Closes: https://bugs.gentoo.org/835374 > Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org> > > net-p2p/nicotine+/Manifest | 4 ---- > net-p2p/nicotine+/nicotine+-2.2.2.ebuild | 41 > -------------------------------- > net-p2p/nicotine+/nicotine+-3.1.1.ebuild | 41 > -------------------------------- > net-p2p/nicotine+/nicotine+-3.2.0.ebuild | 41 > -------------------------------- > net-p2p/nicotine+/nicotine+-3.2.1.ebuild | 41 > -------------------------------- > 5 files changed, 168 deletions(-) Again, not what you should do for security bugs.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=afaa1e2a7eac94eb6f2ecf1950d5cf22db044f31 commit afaa1e2a7eac94eb6f2ecf1950d5cf22db044f31 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:14:04 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:15 +0000 [ GLSA 202210-20 ] Nicotine+: Denial of Service Bug: https://bugs.gentoo.org/835374 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-20.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!