I found this [1] information about a security problem in ET server and a bugfix for this problem. Perhaps someone can review it and add it to the ET ebuild if the info is right? [1] = http://www.punksbusted.com/forums/index.php?showtopic=33939 Reproducible: Always
games, please have a look
Any way you can post the details so I don't have to register for that forum?
Sorry, i did not see that you are not allowed to watch that thread. The main info should be in [1]. [2] is called a fix for the etpro mod only. [1] = http://www.punksbusted.com/omnix/et260b_serverfix.tar.gz [2] = http://www.punksbusted.com/omnix/wsfix.lua
that's not very clear can you provide a diff or something or copy/paste the relevant lines from the forum? Is the issue fixed upstream ? Please note that there is still bug 135645 not fixed yet.
after having a short look while being drunk, this looks like a 3rd party hack (of a gentoo user - cheers!) to prevent exploitation. this may work very well, but requires someone to check this in depth, probably involving time consuming binary analysis etc. also, there may be some license issues (but given the large modding community, this is not very likely).
The mentioned bug is client side. This is serverside only. This [1] is the only information i got for this patch at the forum. [1] = http://www.tommyserver.de/et.php
changing product/component please file security bugs in the Gentoo Security product
etpub-0.8.1 includes a fix for this, so server with actual etpub-mod should not any more be affected.
Is there a fix that doesn't require a complete mod? I haven't found one, but I'd gladly add one to the ebuild if there was one.
I only know the file from [1] in my comment #3, which after compilation has to be preloaded before loading the game itself should prevent the exploits (as written in the included file and stated in [1] from my comment #6). Btw, ID did release the source code, if that helps anyone.
Hi, well I can't provide a fix but some more information from etpro-mod forum: http://bani.anime.net/banimod/forums/viewtopic.php?t=6777 They recommend usage of a lua script to fix this stuff but I don't know if this works with other mods than etpro. Of course I'd rather see a fix for enemy-territory itself. Something like a 2.61 patch would be quite handy ;) Cheers
Any news here? Either we include the 3rd party hack, either we p.mask until we have a better solution... games herd?
Sorry that this is taking so long. I've not forgotten about it. I'm just swamped with 2008.0 stuff. I see no reason why we cannot simply mask it for the time being.
@games: whatever the security problem was, the website is no longer accessible. Mask it or close the bug WONTFIX. Your call.
may be its is a duplicate of https://bugs.gentoo.org/show_bug.cgi?id=82149
super old bug. package has already been masked for quite some time