Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 606702

Summary: <games-fps/urbanterror-4.3.2_p20170426: Multiple vulnerabilities through embedded ioquake3 engine (CVE-2011-{1412,2764,3012},CVE-2012-3345)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: games, holgersson
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
games-fps/urbanterror-4.3.2_p20170426 games-fps/urbanterror-data-4.3.2
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 376589    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 13:28:29 UTC 
It is suspected that this package is vulnerable to multiple vulnerabilities (including a remote code execution vulnerability) due to embedded ioquake3 engine. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.

Please see the information contained in the tracker bug 376589 for further details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 13:45:25 UTC 
Bug 420783 (CVE-2012-3345) was added to the same tracker.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-06 11:07:27 UTC 
@ Arches,

please test and mark stable:

=games-fps/urbanterror-4.3.2_p20170426
=games-fps/urbanterror-data-4.3.2
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-08 10:16:42 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-09 10:20:07 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-09 11:08:54 UTC 
Repository is now clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bee9c6050c05e972ed935abf908d595597bb0416).

New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 18:00:26 UTC 
This issue was resolved and addressed in
 GLSA 201706-23 at https://security.gentoo.org/glsa/201706-23
by GLSA coordinator Kristian Fiskerstrand (K_F).