teeworlds upstream has released version 0.6.4. https://www.teeworlds.com/?page=news&id=12086 says > the security vulnerability is worse, attacker controlled memory-writes and > possibly arbitrary code execution on the client, abusable by any server the > client joins The upstream fix: https://github.com/teeworlds/teeworlds/commit/ff254722a2683867fcb3e67569ffd36226c4bc62
Created attachment 469550 [details, diff] Version bump Fixes the old ebuilds as well but i'd remove them completely given this is a RCE. We've yet to see it in use by anyone though so that's nice. I could also pull-request this if that's desirable.
Thank you for your contribution. Yes, please create a pull request if possible. Once a fixed version/ebuild is in repository and stable we will clean up previous versions. From your patch: > +PM=$(echo ${PV} | cut -c 1-3) Please try to match Gentoo style. I.e. if you need to change PV use MY_PV and try to use versionator eclass (https://devmanual.gentoo.org/eclass-reference/versionator.eclass/) instead of cut.
Made the requested changes and a pull request. https://github.com/gentoo/gentoo/pull/4400
0.6.4 is now in the tree. amd64 and x86 teams, please stabilise. I've tried it out myself on amd64 and it works fine. If you want to try it, it's a relatively small download for a game.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Old removed. Security team, please continue.
This issue was resolved and addressed in GLSA 201705-13 at https://security.gentoo.org/glsa/201705-13 by GLSA coordinator Thomas Deutschmann (whissi).