Bug#665945: openarena-server: [squeeze regression] server ceases to respond to getstatus after ~50 days
Simon McVittie
smcv at debian.org
Tue Mar 27 10:04:45 UTC 2012
Package: openarena-server
Version: 0.8.5-5+squeeze2
Severity: normal
Tags: patch pending
When backporting upstream r1762 for CVE-2010-5077, I didn't also backport
r1898, which fixes a regression caused by r1762. I believe the regression
is that when the Q3 server clock (a 32-bit number of milliseconds) wraps
around, the rate-limiting code drops all getstatus requests. In effect,
this will mean that the server becomes unable to report its status after an
uptime of about 50 days.
(Obviously, I can't have tested this yet, because 50 days haven't elapsed...
but the patch looks right, has been upstream for a year, and is in unstable.)
I also propose to apply r1763, which initializes some variables that could
otherwise be used uninitialized (an uninitialized pointer dereference) if
the address family is neither IPv4 nor IPv6. I don't think this can actually
happen, but the change is obviously correct and it seems better to be safe.
Before fixing either of these, I'll ask ioquake3 upstream whether there
are any other known regressions caused by that change.
The proposed changes are in the debian-squeeze branch in git. Currently
untested, I'll test before upload.
http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=shortlog;h=refs/heads/debian-squeeze
Would the security team want to do this via the security archive, since
it fixes a regression from a security fix, or should I talk to the stable
release team?
Regards,
S
More information about the Pkg-games-devel
mailing list