Summary: | games-strategy/ufo2000 - multiple issues (CVE-2006-{3788,3789,3790,3791,3792) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | games, gengor, siarhei.siamashka, vladimir | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://aluigi.altervista.org/adv/ufo2ko-adv.txt | ||||||
Whiteboard: | B3 [maskglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 235763 | ||||||
Attachments: |
|
Description
Carsten Lohrke (RETIRED)
2006-08-01 02:23:42 UTC
This one has been masked. A fix is here: http://bugs.gentoo.org/show_bug.cgi?id=143421 Can I query status of this issue? Is there anything special needed to unmask ufo2000 in portage? Here is the history of this issue: 2006-07-10 E-mail from Luigi Auriemma with the security problems report. He got reply thanking him for this information and asking not to disclose this information until the bugfix gets released. 2006-07-13 Problems fixed in SVN, final pre-release testing in process. 2006-07-16 Security problem disclosed (without any notice to ufo2000 developers). 2006-07-18 Bugfix release 0.7.1062 available, links to vulnerable versions removed from download 2006-07-28 Somebody noticed security problem announcement and reported it in the forum: http://www.xcomufo.com/forums/index.php?showtopic=242026496 As a result, a special check preventing vulnerable versions from connecting to the server was added. E-mail asking to mask current vulnerable ufo2000 version in the portage was sent to Chris Gianelloni (the last gentoo developer who touched ufo2000 ebuild at that moment). 2006-07-31 ufo2000 0.6.627 was masked by Chris Gianelloni 2006-08-15 Ebuild for ufo2000 0.7.1062 added to portage (but still masked) 2006-11-27 Mask is still here... 0.6.627 removed and 0.7.1062 unmasked flew under our radar it seems fixed version is in the tree for two months now Calling for a vote according to the policy... I vote yes. (In reply to comment #6) > I vote yes. > WHy not... ok, yes. GLSA Request filed. Not everything is so easy as ufo2000 is currently masked because its optional dependency (dumb library 0.9.2) was removed from the portage tree, see http://bugs.gentoo.org/show_bug.cgi?id=164186 This dumb 0.9.2 had some security issue also discovered by Luigi Auriemma, the problem was solved in version 0.9.3 which is unfortunately API incompatible with 0.9.2. As ufo2000 uses dumbogg plugin (discontinued by upstream) which heavily relies on dumb internals, fixing it to work with a new version seems to be a nontrivial task. So support for dumb will be most likely dropped from the future versions of ufo2000 and replaced with something else. Right now the best option probably would be to fix ufo2000 ebuild to remove this optional dumb dependency, unmask it and have this security issue finally resolved. i think this will take a lot of time, so we'll issue the GLSA telling that ufo2000 is masked and users should unmerge it due to security issues both in dumb-0.9.2 and in old ufo2000 ebuilds. GLSA 200702-10 sent, without closing the bug, in the enhancement scope waiting for a better solution. Created attachment 111209 [details]
ufo2000-0.7.1062-r1.ebuild
I'm sorry for a bit late reply, I did not get e-mail notification after comment #9 for some reason. Actually removing DUMB dependency is quite trivial, ebuild is attached. Security impact of running ufo2000 with vulnerable version of DUMB library is extremely low. Unless the users can be convinced by some stranger to manually replace default game music soundtracks with something else, they are safe. After the second thought, it will really take some more time to resolve. In order to remain in the portage tree, ufo2000 needs a stable release that would be security problems free and remain supported for a reasonable time (half a year at least). Beta versions do not suit this purpose well. It is unrealistic to catch up with the beta releases once ufo2000 is actively developed (and a new beta 0.7.1067 is already available). A better solution for beta versions is an upstream maintained portage overlay instead and binary builds for other linux distributions. I'll try to come up with some way to solve this problem within a week. (In reply to comment #12) > Security impact of running ufo2000 with vulnerable version of DUMB library is > extremely low. Unless the users can be convinced by some stranger to manually > replace default game music soundtracks with something else, they are safe. You're right. > > A better solution for beta versions is an upstream maintained portage overlay > instead and binary builds for other linux distributions. > > I'll try to come up with some way to solve this problem within a week. > thanks a lot It's gone. Please go ahead and close this out. GLSA 200702-10 |