Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 194609 (CVE-2007-4442) - games-fps/americas-army (using Unreal Engine) Denial Of Service (CVE-2007-{4442,4443,5249,5250})
Summary: games-fps/americas-army (using Unreal Engine) Denial Of Service (CVE-2007-{44...
Alias: CVE-2007-4442
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
Whiteboard: B3 [masked]
Depends on:
Reported: 2007-10-03 13:58 UTC by Tobias Heinlein (RETIRED)
Modified: 2008-07-14 18:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-03 13:58:44 UTC
Luigi Auriemma has reported some vulnerabilities in America's Army, which can be exploited by malicious people to cause a DoS (Denial of Service).

Successful exploitation requires that the "PunkBuster" feature is enabled on the affected server.

The vulnerabilities are reported in version 2.8.2 and prior. Other versions may also be affected.

Host games on a trusted network only.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-03 14:00:40 UTC
(Not my day, sorry for the bugspam)
Comment 2 Chris Gianelloni (RETIRED) gentoo-dev 2007-10-05 17:02:09 UTC
Even though we only have a much older version of America's Army in the tree, it uses Punkbuster, which auto-updates itself into the user's home.  We'll need to mask this for removal, since there's not a newer Linux version available and no plans on making one.  I've masked it, so we likely just need a masking GLSA.
Comment 3 Pacho Ramos gentoo-dev 2007-10-06 18:32:23 UTC
I think that dropping it from portage tree is not needed, it can be left hardmasked and a warn can be added to the ebuild like is currently done with doomsday or unreal-tournament

Thanks a lot
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 09:38:51 UTC
This is CVE-2007-5250.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 09:46:36 UTC
.. and CVE-2007-5249.
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2007-10-07 18:27:53 UTC
The only reason that unreal-tournament has stuck around is the client isn't vulnerable.  If unreal-tournament has a split server/client, then the client wouldn't even be masked.  This isn't the case here, so the same rules do not apply.
Comment 7 Pacho Ramos gentoo-dev 2007-10-07 19:01:22 UTC
OK, I didn't know that, I have already copy the ebuild to my local overlay :-)

Thanks for the information
Comment 8 Joshua Pettett 2007-10-08 21:19:49 UTC
The AA client is vulnerable to a DoS attack?  In what way?  What if it's connected to a trusted server?
Comment 9 Gordon Malm (RETIRED) gentoo-dev 2007-10-16 06:16:35 UTC
Sad to see this package removed over a DoS that doesn't even involve privilege escalation.
Comment 10 Joshua Pettett 2007-10-16 15:18:23 UTC
(In reply to comment #6)
> The only reason that unreal-tournament has stuck around is the client isn't
> vulnerable.  

As far as I can tell from reading both CVE summaries, it's the same situation here.  Why should different action be taken?
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-22 20:06:04 UTC
Should we issue a temporary maskglsa here? Is Punkbuster enabled by default? (B3 or C3)
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-22 20:22:39 UTC
I tend to vote NO either way.
Comment 13 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-04 18:44:42 UTC
Punkbuster is enabled by default.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 10:12:11 UTC
I vote NO maskglsa, setting status to enhancement and waiting for an update...
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-07-14 18:57:25 UTC
Has been removed on 05 Jun 2008.