Today we've released bugfix updates to our current stable branch 3.4
and the previous stable branch 3.3.
Most notably, these contain a fix for a security issue: the
compilation phase was not run under an unprivileged user, which allows
(in some languages) a contestant to insert compile-time instructions,
e.g. to try to access locally stored test data, see
tests/test-compile-read-testcase.hs for proof of concept code. This is
fixed by running the compile phase also under the unprivileged
'domjudge-run' user, and making sure that this user does not have
access to any testcase or other judging data. Note that especially in
the 3.3 branch this introduces a significant amount of code that had
to be backported from the stable 3.4 and master branches. In the new
4.0 series release we are working towards running the compile phase
completely within a chroot environment, just as the run phase.
A number of smaller issues have also been fixed. See the ChangeLog
file for details.
Downloads as usual through our home page:
On behalf of the DOMjudge developers,
DOMjudge-announce mailing list