Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600178 (CVE-2016-9400) - <games-action/teeworlds-0.6.4: Remote code execution on teeworlds client
Summary: <games-action/teeworlds-0.6.4: Remote code execution on teeworlds client
Alias: CVE-2016-9400
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa cve]
Depends on:
Reported: 2016-11-18 15:09 UTC by Thomas Deutschmann
Modified: 2017-05-26 06:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

Version bump (0001-games-action-teeworlds-Version-bump.patch,8.10 KB, patch)
2017-04-09 17:55 UTC, Emir Marincic
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 15:09:53 UTC
teeworlds upstream has released version 0.6.4. says

> the security vulnerability is worse, attacker controlled memory-writes and
> possibly arbitrary code execution on the client, abusable by any server the
> client joins

The upstream fix:
Comment 1 Emir Marincic 2017-04-09 17:55:36 UTC
Created attachment 469550 [details, diff]
Version bump

Fixes the old ebuilds as well but i'd remove them completely given this is a RCE. We've yet to see it in use by anyone though so that's nice.

I could also pull-request this if that's desirable.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-04-09 18:02:32 UTC
Thank you for your contribution.

Yes, please create a pull request if possible.

Once a fixed version/ebuild is in repository and stable we will clean up previous versions.

From your patch:
> +PM=$(echo ${PV} | cut -c 1-3)

Please try to match Gentoo style. I.e. if you need to change PV use MY_PV and try to use versionator eclass ( instead of cut.
Comment 3 Emir Marincic 2017-04-09 20:14:37 UTC
Made the requested changes and a pull request.
Comment 4 James Le Cuirot gentoo-dev 2017-05-04 21:29:28 UTC
0.6.4 is now in the tree. amd64 and x86 teams, please stabilise. I've tried it out myself on amd64 and it works fine. If you want to try it, it's a relatively small download for a game.
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-05 14:11:09 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-06 17:20:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 James Le Cuirot gentoo-dev 2017-05-06 19:54:49 UTC
Old removed. Security team, please continue.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-05-26 06:27:21 UTC
This issue was resolved and addressed in
 GLSA 201705-13 at
by GLSA coordinator Thomas Deutschmann (whissi).