Bug 194609 (CVE-2007-4442)

Summary:	games-fps/americas-army (using Unreal Engine) Denial Of Service (CVE-2007-{4442,4443,5249,5250})
Product:	Gentoo Security	Reporter:	Tobias Heinlein (RETIRED) <keytoaster>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	bugs.gentoo.devel, games, gengor, pacho
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/27015/
Whiteboard:	B3 [masked]
Package list:		Runtime testing required:	---

Description Tobias Heinlein (RETIRED) gentoo-dev

2007-10-03 13:58:44 UTC

Luigi Auriemma has reported some vulnerabilities in America's Army, which can be exploited by malicious people to cause a DoS (Denial of Service).

Successful exploitation requires that the "PunkBuster" feature is enabled on the affected server.

The vulnerabilities are reported in version 2.8.2 and prior. Other versions may also be affected.

Solution:
Host games on a trusted network only.

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2007-10-03 14:00:40 UTC

(Not my day, sorry for the bugspam)

Comment 2 Chris Gianelloni (RETIRED) gentoo-dev

2007-10-05 17:02:09 UTC

Even though we only have a much older version of America's Army in the tree, it uses Punkbuster, which auto-updates itself into the user's home.  We'll need to mask this for removal, since there's not a newer Linux version available and no plans on making one.  I've masked it, so we likely just need a masking GLSA.

Comment 3 Pacho Ramos gentoo-dev

2007-10-06 18:32:23 UTC

I think that dropping it from portage tree is not needed, it can be left hardmasked and a warn can be added to the ebuild like is currently done with doomsday or unreal-tournament

Thanks a lot

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2007-10-07 09:38:51 UTC

This is CVE-2007-5250.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2007-10-07 09:46:36 UTC

.. and CVE-2007-5249.

Comment 6 Chris Gianelloni (RETIRED) gentoo-dev

2007-10-07 18:27:53 UTC

The only reason that unreal-tournament has stuck around is the client isn't vulnerable.  If unreal-tournament has a split server/client, then the client wouldn't even be masked.  This isn't the case here, so the same rules do not apply.

Comment 7 Pacho Ramos gentoo-dev

2007-10-07 19:01:22 UTC

OK, I didn't know that, I have already copy the ebuild to my local overlay :-)

Thanks for the information

Comment 8 Joshua Pettett 2007-10-08 21:19:49 UTC

The AA client is vulnerable to a DoS attack?  In what way?  What if it's connected to a trusted server?

Comment 9 Gordon Malm (RETIRED) gentoo-dev

2007-10-16 06:16:35 UTC

Sad to see this package removed over a DoS that doesn't even involve privilege escalation.

Comment 10 Joshua Pettett 2007-10-16 15:18:23 UTC

(In reply to comment #6)
> The only reason that unreal-tournament has stuck around is the client isn't
> vulnerable.  

As far as I can tell from reading both CVE summaries, it's the same situation here.  Why should different action be taken?

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-10-22 20:06:04 UTC

Should we issue a temporary maskglsa here? Is Punkbuster enabled by default? (B3 or C3)

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-22 20:22:39 UTC

I tend to vote NO either way.

Comment 13 Chris Gianelloni (RETIRED) gentoo-dev

2007-11-04 18:44:42 UTC

Punkbuster is enabled by default.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-07 10:12:11 UTC

I vote NO maskglsa, setting status to enhancement and waiting for an update...

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2008-07-14 18:57:25 UTC

Has been removed on 05 Jun 2008.