Hello all,
Today we've released bugfix updates to our current stable branch 3.4 and the previous stable branch 3.3.
Most notably, these contain a fix for a security issue: the compilation phase was not run under an unprivileged user, which allows (in some languages) a contestant to insert compile-time instructions, e.g. to try to access locally stored test data, see tests/test-compile-read-testcase.hs for proof of concept code. This is fixed by running the compile phase also under the unprivileged 'domjudge-run' user, and making sure that this user does not have access to any testcase or other judging data. Note that especially in the 3.3 branch this introduces a significant amount of code that had to be backported from the stable 3.4 and master branches. In the new 4.0 series release we are working towards running the compile phase completely within a chroot environment, just as the run phase.
A number of smaller issues have also been fixed. See the ChangeLog file for details.
Downloads as usual through our home page: http://www.domjudge.org/download
On behalf of the DOMjudge developers, Jaap Eldering
_______________________________________________ DOMjudge-announce mailing list Unsubscribe via: https://www.a-eskwadraat.nl/mailman/listinfo/domjudge-announce