xpra icon
Bug tracker and wiki

Opened 11 months ago

Closed 9 months ago

#1217 closed task (fixed)

security issues in rencode

Reported by: Antoine Martin Owned by: Smo
Priority: critical Milestone: 1.0
Component: core Version: trunk
Keywords: Cc:

Description

Just reported two security issues in rencode:

For our use case, I believe this can just cause a server crash, I don't think we leak parsed data from packets back to the user - but maybe disconnection messages? (those would need to be trimmed)

Change History (5)

comment:1 Changed 11 months ago by Antoine Martin

Status: newassigned

The first bug is now fixed and version 1.0.5 will include it, the second one was already fixed in rencode 1.0.4. (my bad)

Until 1.0.5 is officially released (new blocker: https://github.com/aresch/rencode/issues/9), here's a download link: https://github.com/aresch/rencode/archive/a5ab0fb6c3603d1e9c53e2cfc262b2288d2912d8.zip.

comment:2 Changed 10 months ago by Antoine Martin

Milestone: 0.181.0

Milestone renamed

comment:3 Changed 9 months ago by Antoine Martin

Owner: changed from Antoine Martin to Smo
Status: assignednew

This is all fixed in version 1.0.5, bumped for osx and rpm in r13028. (r13029 for centos6 because of this bug: https://github.com/aresch/rencode/issues/10)

@smo: time to update.

Last edited 9 months ago by Antoine Martin (previous) (diff)

comment:4 Changed 9 months ago by Antoine Martin

  • r13120 updates the debian repos to use 1.0.5
  • r13129 removes rencode from our source tree

comment:5 Changed 9 months ago by Smo

Resolution: fixed
Status: newclosed

All updated.

Note: See TracTickets for help on using tickets.