Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200711-20 ] Pioneers: Denial of Service
Date: Wed, 14 Nov 2007 22:30:29
Message-Id: 473B7280.3070203@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200711-20
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Pioneers: Denial of Service
12 Date: November 14, 2007
13 Bugs: #198807
14 ID: 200711-20
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A vulnerability has been discovered in Pioneers, possibly resulting in
22 a Denial of Service.
23
24 Background
25 ==========
26
27 Pioneers (formerly gnocatan) is a clone of the popular board game "The
28 Settlers of Catan".
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 games-board/pioneers < 0.11.3 >= 0.11.3
37
38 Description
39 ===========
40
41 Bas Wijnen discovered that the Pioneers server may free sessions
42 objects while they are still in use, resulting in access to invalid
43 memory zones.
44
45 Impact
46 ======
47
48 A remote attacker could send specially crafted data to the vulnerable
49 server, resulting in a Denial of Service.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Pioneers users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=games-board/pioneers-0.11.3"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2007-5933
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5933
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-200711-20.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 http://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2007 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5
97 -----BEGIN PGP SIGNATURE-----
98 Version: GnuPG v1.4.7 (GNU/Linux)
99 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
100
101 iD8DBQFHO3KAuhJ+ozIKI5gRAuqNAJ4qsKRL2X+QAwHrfYVd2a+XG8iuzQCgnWNu
102 usSD3uazJ2TJkCor/qlCu3k=
103 =7Cf4
104 -----END PGP SIGNATURE-----
105 --
106 gentoo-announce@g.o mailing list