xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Opened 6 years ago

Closed 6 years ago

Last modified 16 months ago

#1217 closed task (fixed)

security issues in rencode

Reported by: Antoine Martin Owned by: Smo
Priority: critical Milestone: 1.0
Component: core Version: trunk
Keywords: Cc:


Just reported two security issues in rencode:

For our use case, I believe this can just cause a server crash, I don't think we leak parsed data from packets back to the user - but maybe disconnection messages? (those would need to be trimmed)

Change History (6)

comment:1 Changed 6 years ago by Antoine Martin

Status: newassigned

The first bug is now fixed and version 1.0.5 will include it, the second one was already fixed in rencode 1.0.4. (my bad)

Until 1.0.5 is officially released (new blocker: https://github.com/aresch/rencode/issues/9), here's a download link: https://github.com/aresch/rencode/archive/a5ab0fb6c3603d1e9c53e2cfc262b2288d2912d8.zip.

comment:2 Changed 6 years ago by Antoine Martin

Milestone: 0.181.0

Milestone renamed

comment:3 Changed 6 years ago by Antoine Martin

Owner: changed from Antoine Martin to Smo
Status: assignednew

This is all fixed in version 1.0.5, bumped for osx and rpm in r13028. (r13029 for centos6 because of this bug: https://github.com/aresch/rencode/issues/10)

@smo: time to update.

Last edited 6 years ago by Antoine Martin (previous) (diff)

comment:4 Changed 6 years ago by Antoine Martin

  • r13120 updates the debian repos to use 1.0.5
  • r13129 removes rencode from our source tree

comment:5 Changed 6 years ago by Smo

Resolution: fixed
Status: newclosed

All updated.

comment:6 Changed 16 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1217

Note: See TracTickets for help on using tickets.