[Pkg-games-ubuntu] [Bug 970819]
Tyler Hicks
tyhicks at canonical.com
Mon Apr 2 08:38:16 UTC 2012
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
posting a debdiff for this issue. When a debdiff is available, members
of the security team will review it and publish the package. See the
following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
--
You received this bug notification because you are a member of
Debian/Ubuntu Games Team, which is subscribed to tremulous in Ubuntu.
https://bugs.launchpad.net/bugs/970819
Title:
multiple security vulnerabilities
Status in “tremulous” package in Ubuntu:
New
Bug description:
Please consider syncing tremulous/1.1.0-8 from Debian unstable into
all supported Ubuntu versions. It fixes:
- CVE-2006-2082: arbitrary file download from server by a malicious client
(Closes: #660831)
- CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
COM_StripExtension, exploitable in clients of a malicious server
(Closes: #660827)
- CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
malicious server (Closes: #660830)
- CVE-2006-3324: arbitrary file overwriting in clients of a malicious
server (Closes: #660832)
- CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
code execution) in clients of a malicious server (Closes: #660834)
- CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
code execution) in clients of a malicious server if auto-downloading
is enabled (Closes: #660836)
- a potential buffer overflow in error
handling (not known to be exploitable, but it can't hurt)
- non-literal format strings (again, none are known to be
exploitable)
- CVE-2010-5077, use of Tremulous servers by third parties to perform
reflected DoS attacks
It also disables auto-downloading to mitigate any future security
vulnerabilities.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/970819/+subscriptions
More information about the Pkg-games-ubuntu
mailing list