Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200606-20 ] Typespeed: Remote execution of arbitrary code
Date: Mon, 19 Jun 2006 06:20:59
Message-Id: 200606190755.01330.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200606-20
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Typespeed: Remote execution of arbitrary code
9 Date: June 19, 2006
10 Bugs: #135071
11 ID: 200606-20
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow in the network code of Typespeed can lead to the
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 Typespeed is a game to test and practice 10-finger-typing. Network code
25 allows two users to compete head-to-head.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 games-misc/typespeed < 0.5.0 >= 0.5.0
34
35 Description
36 ===========
37
38 Niko Tyni discovered a buffer overflow in the addnewword() function of
39 Typespeed's network code.
40
41 Impact
42 ======
43
44 By sending specially crafted network packets to a machine running
45 Typespeed in multiplayer mode, a remote attacker can execute arbitrary
46 code with the permissions of the user running the game.
47
48 Workaround
49 ==========
50
51 Do not run Typespeed in multiplayer mode. There is no known workaround
52 at this time for multiplayer mode.
53
54 Resolution
55 ==========
56
57 All Typespeed users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=games-misc/typespeed-0.5.0"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2006-1515
66 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1515
67
68 Availability
69 ============
70
71 This GLSA and any updates to it are available for viewing at
72 the Gentoo Security Website:
73
74 http://security.gentoo.org/glsa/glsa-200606-20.xml
75
76 Concerns?
77 =========
78
79 Security is a primary focus of Gentoo Linux and ensuring the
80 confidentiality and security of our users machines is of utmost
81 importance to us. Any security concerns should be addressed to
82 security@g.o or alternatively, you may file a bug at
83 http://bugs.gentoo.org.
84
85 License
86 =======
87
88 Copyright 2006 Gentoo Foundation, Inc; referenced text
89 belongs to its owner(s).
90
91 The contents of this document are licensed under the
92 Creative Commons - Attribution / Share Alike license.
93
94 http://creativecommons.org/licenses/by-sa/2.5