Luigi Auriemma has reported some vulnerabilities in America's Army, which can be exploited by malicious people to cause a DoS (Denial of Service).
Successful exploitation requires that the "PunkBuster" feature is enabled on the affected server.
The vulnerabilities are reported in version 2.8.2 and prior. Other versions may also be affected.
Host games on a trusted network only.
(Not my day, sorry for the bugspam)
Even though we only have a much older version of America's Army in the tree, it uses Punkbuster, which auto-updates itself into the user's home. We'll need to mask this for removal, since there's not a newer Linux version available and no plans on making one. I've masked it, so we likely just need a masking GLSA.
I think that dropping it from portage tree is not needed, it can be left hardmasked and a warn can be added to the ebuild like is currently done with doomsday or unreal-tournament
Thanks a lot
This is CVE-2007-5250.
.. and CVE-2007-5249.
The only reason that unreal-tournament has stuck around is the client isn't vulnerable. If unreal-tournament has a split server/client, then the client wouldn't even be masked. This isn't the case here, so the same rules do not apply.
OK, I didn't know that, I have already copy the ebuild to my local overlay :-)
Thanks for the information
The AA client is vulnerable to a DoS attack? In what way? What if it's connected to a trusted server?
Sad to see this package removed over a DoS that doesn't even involve privilege escalation.
(In reply to comment #6)
> The only reason that unreal-tournament has stuck around is the client isn't
As far as I can tell from reading both CVE summaries, it's the same situation here. Why should different action be taken?
Should we issue a temporary maskglsa here? Is Punkbuster enabled by default? (B3 or C3)
I tend to vote NO either way.
Punkbuster is enabled by default.
I vote NO maskglsa, setting status to enhancement and waiting for an update...
Has been removed on 05 Jun 2008.