#1217 closed task (fixed)
security issues in rencode
| Reported by: | Antoine Martin | Owned by: | Smo |
|---|---|---|---|
| Priority: | critical | Milestone: | 1.0 |
| Component: | core | Version: | trunk |
| Keywords: | Cc: |
Description
Just reported two security issues in rencode:
For our use case, I believe this can just cause a server crash, I don't think we leak parsed data from packets back to the user - but maybe disconnection messages? (those would need to be trimmed)
Change History (6)
comment:1 Changed 5 years ago by
| Status: | new → assigned |
|---|
comment:3 Changed 5 years ago by
| Owner: | changed from Antoine Martin to Smo |
|---|---|
| Status: | assigned → new |
This is all fixed in version 1.0.5, bumped for osx and rpm in r13028. (r13029 for centos6 because of this bug: https://github.com/aresch/rencode/issues/10)
@smo: time to update.
comment:4 Changed 5 years ago by
comment:6 Changed 4 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1217
Note: See
TracTickets for help on using
tickets.
copyleft 2010 - 2021
The first bug is now fixed and version 1.0.5 will include it, the second one was already fixed in rencode 1.0.4. (my bad)
Until 1.0.5 is officially released (new blocker: https://github.com/aresch/rencode/issues/9), here's a download link: https://github.com/aresch/rencode/archive/a5ab0fb6c3603d1e9c53e2cfc262b2288d2912d8.zip.