Summary: | games-fps/unreal* engine vulnerability in "secure" query | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Gianelloni (RETIRED) <wolf31o2> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | games |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B1 [glsa] koon | ||
Package list: | Runtime testing required: | --- |
Description
Chris Gianelloni (RETIRED)
2004-06-22 05:09:57 UTC
Fixed version of ut2004 has been marked stable. I will be looking into ut2003 shortly. Chris : could you list the Gentoo packages affected by this vulnerability and which have already been fixed so that we can keep track ? In my understanding there is : games-fps/ut2003 games-fps/ut2004 (fixed) But I'm not sure about games-fps/ut2003-demo, games-fps/unreal, games-fps/ut2004-demo, games-fps/postal2mpdemo ? games-fps/unreal (vulnerable, and still masked from last engine exploit) games-fps/unreal-tournament (vulnerable, and still masked from last engine exploit) games-fps/unreal-tournament-goty (vulnerable, and still masked from last engine exploit) games-fps/ut2003 (vulnerable, not masked) games-fps/ut2003-demo (vulnerable, not masked) games-server/ut2003-ded (vulnerable, not masked) games-fps/ut2004 (fixed) games-fps/ut2004-demo (vulnerable, not masked) games-server/ut2004-ded (not yet added, I have an ebuild, but it is already fixed) games-fps/postal2demo (possibly vulnerable?) Of course, games-fps/americas-army is not vulnerable. I am researching on ut2003 and the -demos currently. I know that there is a new ut2003 patch in BETA, as I'm a beta tester for it, and it resolves this issue, but it has not been released to the public yet. OK. I have a workaround for UT2003* and UT2004* that I know will work. I'll also see if it works for the other unreal* games. If it does, I will be adding it to portage this evening. Chris: what's the status on this ? Did you include all the fixes in portage ? Are there unfixable packages ? Sorry about that, I've been held up with work obligations. The problem with my proposed "fix" as I have found out, is that while it does stop the possibility of the server being exploited remotely, it also removes the possibility of the server being listed on GameSpy, which is how servers get listed for public use. This pretty much makes a dedicated server quite worthless, in my opinion. Now, it does not appear that ut2003-demo does an uplink to GameSpy, at all. This means that while the engine is vulnerable, there is no way to actually exploit this. I have fixed ut2004-demo. I am adding a quick fix to ut2003 and ut2003-ded, which will hold until the next patch goes final. Everything for ut200* has been updated in portage now. If we ignore the masked packages, here we have :
Vulnerable :
<=games-fps/ut2003-2225-r2
<=games-server/ut2003-ded-2225-r1
<games-fps/ut2004-3236
<=games-fps/ut2004-demo-3120-r3
Fixed :
>=games-fps/ut2003-2225-r3
>=games-server/ut2003-ded-2225-r2
>=games-fps/ut2004-3236
>=games-fps/ut2004-demo-3120-r4
If postal2demo is not vulnerable, I just realised we are ready for a GLSA :) Chris, please confirm.
We're GLSA ready... GLSA drafted, security please review GLSA 200407-14 |