-------------------------------------------------------------------------- Debian Security Advisory DSA 372-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman August 16th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : netris Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0685 Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.
games-arcade/netris-0.5 is what is currently in portage. The buffer overflow effects Netris 0.52 and and earlier, and possibly other versions. I checked the netris download site to see if there was anything newer but it seems there exists none at ftp://ftp.netris.org/pub/netris/ Netris needs to be package.masked / fixed / patched / removed from portage.
0.52 with the security fixes is now in portage
changing resolution to FIXED (Not sending GLSA)