Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198807 - games-board/pioneers < 0.11.3 Denial of Service (CVE-2007-{5933,6010})
Summary: games-board/pioneers < 0.11.3 Denial of Service (CVE-2007-{5933,6010})
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa errata]
Depends on:
Reported: 2007-11-11 14:07 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-11-29 21:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-11 14:07:19 UTC
Bas Wijnen has reported a vulnerability in Pioneers, which can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a session object being deleted
while still in use. This can be exploited to crash the Pioneers
server by sending specially crafted data.

The vulnerability is reported in versions prior to 0.11.3.

Update to version 0.11.3.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-11 14:08:41 UTC
games, version 0.11.3 is in the tree but ~arch, is it ready for stabilization? please advise.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2007-11-11 14:43:21 UTC
stablized and removed all but 0.11.3
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-11 14:59:08 UTC
ok, so we can directly proceed to glsa vote.
I tend to vote YES.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-11 15:00:26 UTC
(In reply to comment #2)
> stablized and removed all but 0.11.3

Should we call in x86, because 0.11.3 is only ~x86 right now?
Comment 5 Mr. Bones. (RETIRED) gentoo-dev 2007-11-11 15:13:06 UTC
missed it.  fixed it now.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-11-11 15:19:22 UTC

Voting YES since it seems unauthenticated users can crash the server.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-11 15:28:58 UTC
request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-14 22:12:13 UTC
GLSA 200711-20
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 12:14:01 UTC
It seems we only fixed one of the two DoS vulnerabilities discovered.


As I wrote before, there was a DoS vulnerability in Pioneers.  While
testing if it also occurred in stable, I found a second problem, which
is now also fixed.  The fix is uploaded to unstable, and should enter
testing in 2 days.  The attached patch fixes both problems in stable.
To use it:

cd /tmp
dget -x
cd pioneers-0.10.2
patch -p2 < /path/to/patch
dch -i

The problem is documented on
This patch is a combination of the following two patches:
Comment 10 Mr. Bones. (RETIRED) gentoo-dev 2007-11-20 03:09:49 UTC
I added the rest of the patch that wasn't in 0.11.3 and rev bumped it to force it out.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-11-24 13:00:01 UTC
Thanks, we should publish an errata GLSA.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-29 21:59:44 UTC
xml updated and errata mail for GLSA-200711-20 sent, closing.