Ubuntu
teeworlds package

Server security vulnerability

Bug #1486946 reported by pcworld
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
teeworlds (Debian)
Fix Released
Unknown
teeworlds (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Teeworlds 0.6.3 released a security fix for an exploitable server bug ("Memory reads, Segmentation Fault"): https://www.teeworlds.com/?page=news&id=11200
Debian has already backported the fix to 0.6.2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770514
This fix (affecting teeworlds-server) is already included in vivid and wily, but should be backported to older but still supported Ubuntu releases.

Teeworlds 0.6.3 also fixed a bug in the client, which seems not to have been included in the current Debian release: "Fix client crash when opening a map with an invalid version"

CVE References

pcworld (pcworld)
information type: Private Security → Public Security
Bug Watch Updater (bug-watch-updater)
Changed in teeworlds (Debian):
status: Unknown → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in teeworlds (Ubuntu):
status: New → Incomplete
Revision history for this message
pcworld (pcworld) wrote :

trusty and utopic are currently on 0.6.2+dfsg-1, whereas vivid and wily are on 0.6.2+dfsg-2. The only change from 0.6.2+dfsg-1 to 0.6.2+dfsg-2 is the security fix. So you just need to merge the respective debdiff into trusty and utopic.
For precise it is not that easy, since it is on 0.6.1+dfsg-1.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package teeworlds - 0.6.2+dfsg-2~build0.14.04.1

---------------
teeworlds (0.6.2+dfsg-2~build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1486946)

teeworlds (0.6.2+dfsg-2) unstable; urgency=high

  * Fix a server crash that is remotely exploitable. (Closes: #770514)
    - Add fixed_a_server_crash.patch, cherry picked from 0.6.3.

 -- Steve Beattie <email address hidden> Thu, 20 Aug 2015 14:55:28 -0700

Changed in teeworlds (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.