Nicotine+: Denial of Service — GLSA 202210-20

A vulnerability has been found in Nicotine+ which could result in denial of service.

Affected packages

net-p2p/nicotine+ on all architectures
Affected versions < 3.2.1
Unaffected versions >= 3.2.1

Background

Nicotine+ is a fork of nicotine, a Soulseek client in Python.

Description

Nicotine+ does not sufficiently validate file path in download requests.

Impact

A file path in a download request which contains a null character will cause a crash of Nicotine+.

Workaround

There is no known workaround at this time.

Resolution

All Nicotine+ users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-p2p/nicotine+-3.2.1"
 

References

Release date
October 31, 2022

Latest revision
October 31, 2022: 1

Severity
low

Exploitable
remote

Bugzilla entries