Summary: | games-fps/americas-army (using Unreal Engine) Denial Of Service (CVE-2007-{4442,4443,5249,5250}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | bugs.gentoo.devel, games, gengor, pacho |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27015/ | ||
Whiteboard: | B3 [masked] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2007-10-03 13:58:44 UTC
(Not my day, sorry for the bugspam) Even though we only have a much older version of America's Army in the tree, it uses Punkbuster, which auto-updates itself into the user's home. We'll need to mask this for removal, since there's not a newer Linux version available and no plans on making one. I've masked it, so we likely just need a masking GLSA. I think that dropping it from portage tree is not needed, it can be left hardmasked and a warn can be added to the ebuild like is currently done with doomsday or unreal-tournament Thanks a lot This is CVE-2007-5250. .. and CVE-2007-5249. The only reason that unreal-tournament has stuck around is the client isn't vulnerable. If unreal-tournament has a split server/client, then the client wouldn't even be masked. This isn't the case here, so the same rules do not apply. OK, I didn't know that, I have already copy the ebuild to my local overlay :-) Thanks for the information The AA client is vulnerable to a DoS attack? In what way? What if it's connected to a trusted server? Sad to see this package removed over a DoS that doesn't even involve privilege escalation. (In reply to comment #6) > The only reason that unreal-tournament has stuck around is the client isn't > vulnerable. As far as I can tell from reading both CVE summaries, it's the same situation here. Why should different action be taken? Should we issue a temporary maskglsa here? Is Punkbuster enabled by default? (B3 or C3) I tend to vote NO either way. Punkbuster is enabled by default. I vote NO maskglsa, setting status to enhancement and waiting for an update... Has been removed on 05 Jun 2008. |