Vulnerable Systems: * Marathon Aleph One versions released before 16 Dec 2006 Empty connection crash: It's possible to cause the crash of the server simply doing an empty connection to it followed by a valid one (or vice versa, the cause of this bug is not clear and not investigated yet). Possible format string in the logging function: logMessageV, the function used for logging anything in the game, is vulnerable to a format string bug. The logging is enabled ONLY with log messages having a priority level minor than logNoteLevel (40) like logFatalLevel, logErrorLevel, logWarningLevel and logAnomalyLevel. Luigi has tried to search an easy way for exploiting this bug from remote but without luck so Luigi doesn't know if exist or what are the other ways (both remote and local) for doing it. Reproducible: Didn't try http://aluigi.altervista.org/adv/alephonz-adv.txt
You can start handling your bugs yourself, you know :) - setting the Severity - setting the Status Whiteboard according to our policy [1] - important: CCing the maintainer (/usr/portage/xx/xx/metadata.xml) [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
Okay, will do. I wasn't quite sure how far I was supposed to take it as a scout.
(In reply to comment #2) > Okay, will do. I wasn't quite sure how far I was supposed to take it as a > scout. > No problem, you can handle the bugs you own. You're doing a great job at the moment, don't hesitate.
Hi arches, alephone-20061228 is in the tree, thanks to nyhm. Could you test it and mark stable if appropriate, please? thanks
x86 stable
I can't test this, on startup i simply get this: --- CHROOT / # /usr/games/bin/alephone Aleph One SDL linux-gnu x86_64 Feb 14 2007 http://source.bungie.org/ Original code by Bungie Software <http://www.bungie.com/> Additional work by Loren Petrich, Chris Pruett, Rhys Hill et al. TCP/IP networking by Woody Zenfell Expat XML library by James Clark SDL port by Christian Bauer <Christian.Bauer@uni-mainz.de> This is free software with ABSOLUTELY NO WARRANTY. You are welcome to redistribute it under certain conditions. For details, see the file COPYING. Built with network play enabled. FATAL: Please be sure the files 'Map', 'Shapes', 'Images' and 'Sounds' are correctly installed and try again. (error -1) --- However, the latest stable has exactly the same issue. Can someone else from the amd64 team give it a try please?
You don't run it by alephone, but alephone.sh, instead. AlephOne is only the engine, it requires data to play. We have one data ebuild in the tree already, alephone-infinity, so you can merge that, then run "alephone.sh infinity" to play^H^H^H^Htest. ;]
Thanks for the explanation Chris. Seems worky, marked stable.
thanks Simon and Chris, i vote mmm... i would vote a half-no.
also tending to vote no
closing without GLSA, feel free to reopen if you disagree
