[Pkg-games-ubuntu] [Bug 970819] Re: multiple security vulnerabilities

Simon McVittie 970819 at bugs.launchpad.net
Fri May 18 12:41:28 UTC 2012 

> Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
posting a debdiff for this issue.

I am not an Ubuntu user (I reported this bug after fixing these
vulnerabilities in Debian, to be helpful to our downstream
distribution), so I'm afraid I'm not going to take on Ubuntu package
maintenance.

I asked for a new maintainer for Tremulous in Debian, and nobody
volunteered, so I have now arranged for Tremulous to be removed from
Debian testing/unstable. As a result, it will not be in Debian 7.0,
unless someone re-uploads it within the next 2-4 weeks and takes
responsibility for it.

If nobody from the Ubuntu community intends to take responsibility for
securing the Tremulous packages, I would recommend removing these
packages from Ubuntu as well.

-- 
You received this bug notification because you are a member of
Debian/Ubuntu Games Team, which is subscribed to tremulous in Ubuntu.
https://bugs.launchpad.net/bugs/970819

Title:
  multiple security vulnerabilities

Status in “tremulous” package in Ubuntu:
  Confirmed

Bug description:
  Please consider syncing tremulous/1.1.0-8 from Debian unstable into
  all supported Ubuntu versions. It fixes:

       - CVE-2006-2082: arbitrary file download from server by a malicious client
         (Closes: #660831)

       - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
         COM_StripExtension, exploitable in clients of a malicious server
         (Closes: #660827)

       - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
         malicious server (Closes: #660830)

       - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
         server (Closes: #660832)

       - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
         code execution) in clients of a malicious server (Closes: #660834)

       - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
         code execution) in clients of a malicious server if auto-downloading
         is enabled (Closes: #660836)

       - a potential buffer overflow in error
         handling (not known to be exploitable, but it can't hurt)

       - non-literal format strings (again, none are known to be
  exploitable)

       - CVE-2010-5077, use of Tremulous servers by third parties to perform
         reflected DoS attacks

  It also disables auto-downloading to mitigate any future security
  vulnerabilities.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/970819/+subscriptions

More information about the Pkg-games-ubuntu mailing list