Summary: | games-fps/doomsday < 1.9.0-beta5.2 Multiple Vulnerabilities (CVE-2007-{4642,4643,4644}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matt Fleming (RETIRED) <mjf> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | dark.knight.ita, games, gengor, main.haarp, neoannagul, sattva, scen |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/26524/ | ||
Whiteboard: | B1 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 188895 |
Description
Matt Fleming (RETIRED)
2007-08-31 00:25:12 UTC
CC'ing herd and setting whiteboard status. masked The security issues seems to be solved in the security update 1.9.0_beta5.2 release (what a horrible versioning scheme *_* ) http://sourceforge.net/forum/forum.php?forum_id=736045 Is it sufficient to update the ebuild, right? Should be fixed in beta5.2 which I just put into portage. You can remove the p.mask on this ebuild then. doomsday-1.9.0_beta4 was stable before masking, so to not introduce version regrssions, this should go stable too. Bones, what do you think about stabling 5.2? sounds good to me. I went ahead on that. (In reply to comment #5) > You can remove the p.mask on this ebuild then. > > doomsday-1.9.0_beta4 was stable before masking, so to not introduce version > regrssions, this should go stable too. Bones, what do you think about stabling > 5.2? I suggest to *NOT* mark as stable this version, because it still contains several bugs, one of which has been reported in this [1] Gentoo Forums topic; see also the linked Doomsday bug report [2] (and IMHO this bug is quite annoying) I've also the bad sensation that the future of the development of this engine wouldn't be so shiny... [3] :( [1] http://forums.gentoo.org/viewtopic-t-622382.html [2] http://sourceforge.net/tracker/index.php?func=detail&aid=1807891&group_id=74815&atid=542099 [3] http://www.dengine.net/blog/?p=113#comment-1993 Yeah, welcome to the world of opensource games. It's better then the previously stabled versions so I'm ok with the current state. glsa request filed. Upstream confirmed that CVE-2007-4644 was not fixed by the update. Either this bug should go back into upstream status or we should open another bug for CVE-2007-4644 and release the (corrected) GLSA. Mr. Bones the most serious issue never got fixed. Please mask it again until we get a fixed version. done. Thx. Any news about this? * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) https://bugs.gentoo.org/show_bug.cgi?id=190835) So when will this will be removed? (In reply to comment #15) > Any news about this? > > * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository > (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett > <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) > https://bugs.gentoo.org/show_bug.cgi?id=190835) > > So when will this will be removed? > why should it be removed? the mask is here to remind users that this game is currently vulnerable. If upstream releases a new version fixing this issue, it should be unmasked again. And GLSA 200802-02, sorry for the delay. mask glsa is not a fix, is it? We usually leave it open until the ebuild is purged or unmasked and GLSA rereleased. 1.9.0_beta52 is unplayable because of corrupted player control system. So 1.9.0_beta51 shoud be returned to portage... Upstream pulled beta5.2. It should be remove from Portage, for playability and security reasons. As an alternative, I created Attachment 170876 [details] (also see bug 188895). This uses the same SVN sources that are also used to build the Ubuntu packages and should fix all vulnerabilites, *except* one: > A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages. An dev noted: "I could only ever trigger a DoS with this, no arbitrary code running". It should also work on AMD64 now. It's currently masked. That's good enough. We'll just pick up their next release. 1.9-beta6.1 has just been released http://www.doomsdayhq.com/ Bumped to 1.9-beta6.2 but I don't know if it's fixed. doomsday-1.9.0_beta52 is gone. I've removed the entry from package.mask. Affected version long gone. noglsa. |