Impact
A buffer overflow exploit in versions 2.4.8 and below allow an attacker to execute malicious code on any player's machine that connects to a malicious server or poorly-configured server. This also exposes the client to potential crashing from very large messages or evidence items.
While no proof-of-concept exists for the attack in this specific context, and there are no reports of the remote code execution exploit being present in the wild, client forks should take care to fix the vulnerability.
Patches
The issue was fixed in 2.4.9.
Client forks should ensure that their network code is fixed in a way similar to this diff.
Workarounds
Players using forks that diverged from AO2 before version 2.4.9 should not connect to untrusted servers unless the issue has been confirmed to have been fixed on these forks.
For more information
If you have any questions or comments about this advisory, please make a thread in the forums.
Impact
A buffer overflow exploit in versions 2.4.8 and below allow an attacker to execute malicious code on any player's machine that connects to a malicious server or poorly-configured server. This also exposes the client to potential crashing from very large messages or evidence items.
While no proof-of-concept exists for the attack in this specific context, and there are no reports of the remote code execution exploit being present in the wild, client forks should take care to fix the vulnerability.
Patches
The issue was fixed in 2.4.9.
Client forks should ensure that their network code is fixed in a way similar to this diff.
Workarounds
Players using forks that diverged from AO2 before version 2.4.9 should not connect to untrusted servers unless the issue has been confirmed to have been fixed on these forks.
For more information
If you have any questions or comments about this advisory, please make a thread in the forums.