Debian Bug report logs -
#442075
CVE-2007-4754 format string vulnerability, CVE-2007-4755 DoS
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 12 Sep 2007 23:27:01 UTC
Severity: serious
Tags: security
Found in version alien-arena/6.05-1
Fixed in version alien-arena/6.05-4.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#442075; Package alien-arena.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: alien-arena
Version: 6.05-1
Severity: serious
Tags: security
Hi,
two CVEs had been issued against alien-arena:
CVE-2007-4754[0]:
Format string vulnerability in the safe_bprintf function in
acesrc/acebot_cmds.c in Alien Arena 2007 6.10 and earlier
allows remote attackers to cause a denial of service (daemon
crash) via format string specifiers in a nickname.
CVE-2007-4755[1]:
Alien Arena 2007 6.10 and earlier allows remote attackers to
cause a denial of service (client disconnect) by sending a
client_connect command in a forged paket from the server to
a client. NOTE: client IP addresses are available via
product-specific queries.
If you fix this issue please include the CVE id in your
changelog.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4754
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4755
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#442075; Package alien-arena.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 442075@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intend to NMU this bug.
The attached patch should fix both issues.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/alien-arena_6.05-4_6.05-4.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[alien-arena_6.05-4_6.05-4.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#442075; Package alien-arena.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 442075@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
attached is updated version of the patch which fixes similar
format string bugs in the same file.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[alien-arena_6.05-4_6.05-4.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#442075; Package alien-arena.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 442075@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
the patch attached is the final version which I will upload
now.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[alien-arena_6.05-4_6.05-4.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 442075-close@bugs.debian.org (full text, mbox, reply):
Source: alien-arena
Source-Version: 6.05-4.1
We believe that the bug you reported is fixed in the latest version of
alien-arena, which is due to be installed in the Debian FTP archive:
alien-arena-dbg_6.05-4.1_i386.deb
to pool/contrib/a/alien-arena/alien-arena-dbg_6.05-4.1_i386.deb
alien-arena-server-dbg_6.05-4.1_i386.deb
to pool/contrib/a/alien-arena/alien-arena-server-dbg_6.05-4.1_i386.deb
alien-arena-server_6.05-4.1_i386.deb
to pool/contrib/a/alien-arena/alien-arena-server_6.05-4.1_i386.deb
alien-arena_6.05-4.1.diff.gz
to pool/contrib/a/alien-arena/alien-arena_6.05-4.1.diff.gz
alien-arena_6.05-4.1.dsc
to pool/contrib/a/alien-arena/alien-arena_6.05-4.1.dsc
alien-arena_6.05-4.1_i386.deb
to pool/contrib/a/alien-arena/alien-arena_6.05-4.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated alien-arena package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Sep 2007 02:39:15 +0200
Source: alien-arena
Binary: alien-arena-dbg alien-arena alien-arena-server alien-arena-server-dbg
Architecture: source i386
Version: 6.05-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
alien-arena - Standalone 3D first person online deathmatch shooter
alien-arena-dbg - debugging symbols for alien-arena
alien-arena-server - Dedicated server for Alien Arena
alien-arena-server-dbg - debugging symbols for alien-arena-server
Closes: 442075
Changes:
alien-arena (6.05-4.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included fix-CVE-2007-4754-CVE-2007-4755.dpatch to
fix format string vulnerability and possible denial of service
via client_connect (CVE-2007-4754, CVE-2007-4755) (Closes: #442075).
Files:
4a6e95358e68d121a903a7c14632c31f 995 contrib/games extra alien-arena_6.05-4.1.dsc
6db62bc746a86a1b030b48280ce280ef 14475 contrib/games extra alien-arena_6.05-4.1.diff.gz
b4514bb8f4af80b2ce7572badf589d1c 640110 contrib/games extra alien-arena_6.05-4.1_i386.deb
ba506215122cbdda0fca6677a10a84c2 162586 contrib/games extra alien-arena-server_6.05-4.1_i386.deb
a5c8c352c63d5dd41d6a1b967abb61b3 1034026 contrib/games extra alien-arena-dbg_6.05-4.1_i386.deb
b8be2265b5ecba06177ec522a3ffe021 155384 contrib/games extra alien-arena-server-dbg_6.05-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG7WirHYflSXNkfP8RAlhVAKCipmnTPXhSDzmMj/te5786VSzjGwCfZuf6
MkA49dBngl1UyUABPTvbFrg=
=N+qs
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 28 Oct 2007 07:34:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon