Summary: | net-misc/rwbs: 4 security related bugs in Roger Wilco | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Weisserth <tobias> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED CANTFIX | ||
Severity: | normal | CC: | vapier |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://aluigi.altervista.org/adv/wilco-again-adv.txt | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Tobias Weisserth
2004-03-31 11:03:59 UTC
Mike -- you're the last person that touched net-misc/rwbs (12/2002). Can you review/comment/patch if needed? Only keywords in the ebuild are x86, so no other arches are affected/need to be consulted as part of this bug. from the gamespy website: Version 0.27 is our latest release for the Base Station for Linux and FreeBSD. Version 0.30a is the lateste release for Windows and reports to the GameSpy Master Servers. in other words, they havent released a fix yet ... was this even sent to them ? emailing the author of the vuln. notice to find out. The original author (aluigi@altervista.org) did not bother to inform gamespy about this problem. He indicated he didn't feel it was worth the time since (in his opinion) they never responded to problem/bug reports anyway. I have sent an email to rogerwilco@gamespy.com (the only contact address I could find on their web site) and am awaiting a response. The only semi-serious issue in this particular report is the crashing bug which, at worst, leads to a DoS on the program itself. So, pending a response from gamespy, am downgrading to normal. I received a response from Gamespy: "Hi Kurt, I sincerely apologize for this late response to your issue. I have forwared your email to our programmers for comment." on April 23rd. So far, no response from the programmers. At worst, this program allows itself to be crashed. It doesn't appear to affect any other parts of the operating system or other programs. It doesn't appear to allow overwriting of files or arbitrary code execution. Basically, it doesn't seem like a big deal. Marking as cantfix for now. No patch from the vendor == can't fix. Because it's not a big risk, I don't think we need to security mask it, either. |