[Pkg-games-ubuntu] [Bug 970819]

Tyler Hicks tyhicks at canonical.com
Mon Apr 2 08:38:16 UTC 2012 

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
posting a debdiff for this issue. When a debdiff is available, members
of the security team will review it and publish the package. See the
following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

-- 
You received this bug notification because you are a member of
Debian/Ubuntu Games Team, which is subscribed to tremulous in Ubuntu.
https://bugs.launchpad.net/bugs/970819

Title:
  multiple security vulnerabilities

Status in “tremulous” package in Ubuntu:
  New

Bug description:
  Please consider syncing tremulous/1.1.0-8 from Debian unstable into
  all supported Ubuntu versions. It fixes:

       - CVE-2006-2082: arbitrary file download from server by a malicious client
         (Closes: #660831)

       - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
         COM_StripExtension, exploitable in clients of a malicious server
         (Closes: #660827)

       - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
         malicious server (Closes: #660830)

       - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
         server (Closes: #660832)

       - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
         code execution) in clients of a malicious server (Closes: #660834)

       - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
         code execution) in clients of a malicious server if auto-downloading
         is enabled (Closes: #660836)

       - a potential buffer overflow in error
         handling (not known to be exploitable, but it can't hurt)

       - non-literal format strings (again, none are known to be
  exploitable)

       - CVE-2010-5077, use of Tremulous servers by third parties to perform
         reflected DoS attacks

  It also disables auto-downloading to mitigate any future security
  vulnerabilities.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/970819/+subscriptions

More information about the Pkg-games-ubuntu mailing list