http://www.urbanterror.info/news/ list several security issues fixed in this release Security fixes • Fixed CVE-2017-6903 #73 • Fixed a potential buffer overflow exploit with the funstuff cvars • Fixed a potential exploit with the cl_guid variable • Fixed a potential exploit: do not allow loading .menu files from the /download/ subfolder and enforce menu files to have the .menu extension • Fixed a potential exploit where the result of the /stats command called by a spectator while following a player would be sent to the followed player instead of the spectator • Fixed a potential exploit with ROM and INIT cvar types being forced to USERINFO number of additional bugs have also been fixed in this version. I do not have this game installed so I am unable to say if present in portage version 4.3.2_p20180216 has those fixes or not.
Upstream has fixes in the 4.3.3 source.
Hi, first: Sorry it took me that long to answer. However: When I took over the proxied maintenance of this package I switched to a relativly new project[1] forking the original ioq3 engine[2] with backports for urbanterror, because the official sources[3] had some compiling bugs with special CFLAGS and open (or at least unclear) security bugs at that time. (As a side note, some of the patches that went to into the official urbanterror engine came actually from the guy who maintains this fork, mickael9). To address the issues I'll refer to the new engine as "upstream"[1], to the ioq3[2] as "original", and to the FrozenSand/Urbanterror engine[3] as "official" in order: 1/CVE-2017-6903 a) "Don't load .pk3s as .dlls, and don't load user config files from .pk3s." original 376267d534476a875d8b9228149c4ee18b74a4fd / upstream 376267d534476a875d8b9228149c4ee18b74a4fd b) "Merge some file writing extension checks from OpenJK." original b173ac05993f634a42be3d3535e1b158de0c3372 / upstream b173ac05993f634a42be3d3535e1b158de0c3372 c) "Don't open .pk3 files as OpenAL drivers." original f61fe5f6a0419ef4a88d46a128052f2e8352e85d / upstream f61fe5f6a0419ef4a88d46a128052f2e8352e85d 2/funstuff: upstream 3225866b7dad402358b9e1713789032e065302ac 3/cl_guid: upstream 72889d01a77cd386f84ecff08ad3ac3104d2ae1a 4/.menu: upstream 41425855eba78b31dde895116c4db2e8ce77a2b8 / gentoo ebuild 4.3.2_p20180211 5/stats exploit: upstream 423332008195b2705300d52b714c0f3a059b0c33 6/ROM and INIT cvar types: official 011e352341b7ef12eb1b84ca8af9e99a358d4c35 I think this one is already mitigated in our upstream with the following snippet from code/qcommon/cvar.c: // Don't change flags on read only vars if (v->flags & (CVAR_ROM | CVAR_INIT)) { return; } Currently we are on 4.3.3_p20180218, i.e. upstream d93f05de38a6cae60fbf0f073aace64b3adc7aaf. (Only the date of the patchlevel matters here as I keep the version prefix in sync with the game data from FrozenSand, so the engine code between 4.3.{2,3} actually doesn't differ.) To me it looks as we already have all issues addressed/fixed. [1] upstream: https://github.com/mickael9/ioq3 [2] original: https://github.com/ioquake/ioq3/ [3] official: https://github.com/FrozenSand/ioq3-for-UrbanTerror-4
GLSA Vote: No Tree is clean.
