[gentoo-announce] [ GLSA 201705-13 ] Teeworlds: Remote execution of arbitrary code on client - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201705-13 ] Teeworlds: Remote execution of arbitrary code on client
Date:	Fri, 26 May 2017 06:38:10
Message-Id:	`a2121e9d-d7f6-9f8f-3bc3-ac8219f72540@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201705-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Teeworlds: Remote execution of arbitrary code on client

9

     Date: May 26, 2017

10

     Bugs: #600178

11

       ID: 201705-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Teeworlds client vulnerability in snap handling could result in

19

execution of arbitrary code.

20

21

Background

22

==========

23

24

Teeworlds is an online multi-player platform 2D shooter.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  games-action/teeworlds       < 0.6.4                    >= 0.6.4

33

34

Description

35

===========

36

37

Teeworlds client contains a vulnerability allowing a malicious server

38

to execute arbitrary code, or write to arbitrary physical memory via

39

the CClient::ProcessServerPacket method.

40

41

Impact

42

======

43

44

A remote malicious server can write to arbitrary physical memory

45

locations and possibly execute arbitrary if a vulnerable client joins

46

the server.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All Teeworlds users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=games-action/teeworlds-0.6.4:0"

60

61

References

62

==========

63

64

[ 1 ] CVE-2016-9400

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9400

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201705-13

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2017 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201705-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Teeworlds: Remote execution of arbitrary code on client
9	Date: May 26, 2017
10	Bugs: #600178
11	ID: 201705-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Teeworlds client vulnerability in snap handling could result in
19	execution of arbitrary code.
20
21	Background
22	==========
23
24	Teeworlds is an online multi-player platform 2D shooter.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 games-action/teeworlds < 0.6.4 >= 0.6.4
33
34	Description
35	===========
36
37	Teeworlds client contains a vulnerability allowing a malicious server
38	to execute arbitrary code, or write to arbitrary physical memory via
39	the CClient::ProcessServerPacket method.
40
41	Impact
42	======
43
44	A remote malicious server can write to arbitrary physical memory
45	locations and possibly execute arbitrary if a vulnerable client joins
46	the server.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All Teeworlds users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=games-action/teeworlds-0.6.4:0"
60
61	References
62	==========
63
64	[ 1 ] CVE-2016-9400
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9400
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201705-13
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2017 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5