1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202210-20 ] Nicotine+: Denial of Service

    From glsamaker@gentoo.org@21:1/5 to All on Mon Oct 31 03:20:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202210-20
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Low
    Title: Nicotine+: Denial of Service
    Date: October 31, 2022
    Bugs: #835374
    ID: 202210-20

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in Nicotine+ which could result in denial
    of service.

    Background
    ==========

    Nicotine+ is a fork of nicotine, a Soulseek client in Python.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 net-p2p/nicotine+ < 3.2.1 >= 3.2.1

    Description
    ===========

    Nicotine+ does not sufficiently validate file path in download requests.

    Impact
    ======

    A file path in a download request which contains a null character will
    cause a crash of Nicotine+.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Nicotine+ users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-p2p/nicotine+-3.2.1"

    References
    ==========

    [ 1 ] CVE-2021-45848
    https://nvd.nist.gov/vuln/detail/CVE-2021-45848

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-20

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNfIWAACgkQFMQkOaVy +9lWvw//TKeEM0bLd1CUTkZrxBUIpeb7EkOY3cBetQ3wSw6YFLNPq+qCsrThuEby 3B/oNXMIvZhjQWd2CXOMEvN2Dgw80ViLSBsZ6bTij5PxnPz8ldH92/OtmRRZ1fEB m1S4KZjEVCpmDjFCc+3+AfYetka5DoMyIPFXmMNp4Piv58612RmZdIsYUSpcXWKU SXf5ROKAyr+F6KnUJQTZBDgEJAfE1c3EdVIk/tg2mhVzr7z0ODnvRMWLQLzuVXEl iIY2xByQ3e8ckwh+VhdWeUQYq+scJslhlPvmUxsRYmsfuiIFGXdLtFakBbG2mzas Xo2FFHfNNhdXlD9EkmK2JfxsfNo+KNWxFz/3610/g0Vc9qfD+Qe9w+z2+HAdHSJF 0Jz3AX+M41FHN/5MGPAE+qq+QEWZcWrODPSBuJBWZAOwliBidr35aVESQT9+2e7G 4zSA5HaixsJxbTgIA4fqzZsei/jGtuIR96wOpfLNjyqETyQk8pdyM/HBGDqhYzCs Hin0PFO/9mEbDYrfzZk7O4cfS9VrK8YOCdklc2VcucBNjDzQMahM8HmOIxW0EuQl QYwq8NRSUA7j1IfAxY0feLgAPQQuOUF3s7iXLZpuR+AfzP5xfJU1WdxiJaTSNCk+ EAiwo/EcfsoXU+dBhFBeSxYD5sj4ION6/h8NpAgBNiR0L3QCUTg=
    =dDTn
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)