by Luigi Auriemma ====== 2) Bug ====== The game is affected by a denial of service which happens when a client uses a flag (called also frameNum) major than 41 since the setFrame function in src/Lib/2D/Surface.hpp checks if this number is minor than frameCount: void setFrame(const float &frameNum) { assert(frameNum >= 0.0); assert(frameNum < frameCount); mem = frame0 + (pix.y * stride) * int(frameNum); } The result is the immediate interruption of the server. (...) ====== 4) Fix ====== No fix. No reply from the developers.
Let's wait for a patch or an upstream bump.
package masked for now.
Hi, i have maded a patch that fix this (and other bugs) in netpanzer. I dont know if the patch will be accepted (it seems nobody will ever take a look into it). But anyway im working with netpanzer (even im thinking to make a fork). You can find the patch in the 'patch' section of netpanzer in berlios.de
Apperantley this bug has been fixed in the latest release of netpanzer.(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318329) Please confirm.
Debian is using a SVN snapshot.
What's the status of this ebuild? Can we use the CVS?
version 0.8.1 should fix this problem
I still don't understand why you are masking a game, because it is possible to abort a running server with bad data (this isn't even a buffer overflow, noone can gain control of the server). A server which can be shut down is still better than no server at all, isn't it?
*** Bug 165519 has been marked as a duplicate of this bug. ***
Created attachment 109293 [details] netpanzer-0.8.1.ebuild New netpanzer version, that fixes this bug
(In reply to comment #10) > Created an attachment (id=109293) [edit] > netpanzer-0.8.1.ebuild > > New netpanzer version, that fixes this bug > Ha Kewl! Is this in portage testing yet? Or do we need to use an overlay?
bumped
Time to vote, i vote NO.
The masterserver provided in the default configuartion file is not working anymore, so the internal server browser will not work without modification. New Masterserver is netpanzer.selfip.net, maybe an information message after insatlling would be a good idea.
(In reply to comment #13) > Time to vote, i vote NO. > Vote for what?
(In reply to comment #15) > (In reply to comment #13) > > Time to vote, i vote NO. > > > > Vote for what? > Wether we issue a GLSA or not. (ok, i know i'm voting alone)
(In reply to comment #16) > (In reply to comment #15) > > (In reply to comment #13) > > > Time to vote, i vote NO. > > > > > > > Vote for what? > > > > Wether we issue a GLSA or not. (ok, i know i'm voting alone) > I guess this is only for developers?
(In reply to comment #17) > (In reply to comment #16) > > Wether we issue a GLSA or not. (ok, i know i'm voting alone) > > > > I guess this is only for developers? > Sure :) but you are free to give your opinion.
i'm actually the only active member of the security team, so let's close this without GLSA. Feel free to reopen if you disagree.
