Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/metadata/glsa/glsa-200603-10.xml
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa/glsa-200603-10.xml')
-rw-r--r--metadata/glsa/glsa-200603-10.xml70
1 files changed, 70 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200603-10.xml b/metadata/glsa/glsa-200603-10.xml
new file mode 100644
index 000000000000..3c71d00a0c26
--- /dev/null
+++ b/metadata/glsa/glsa-200603-10.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="200603-10">
+ <title>Cube: Multiple vulnerabilities</title>
+ <synopsis>
+ Cube is vulnerable to a buffer overflow, invalid memory access and remote
+ client crashes, possibly leading to a Denial of Service or remote code
+ execution.
+ </synopsis>
+ <product type="ebuild">cube</product>
+ <announced>2006-03-13</announced>
+ <revised>2006-03-13: 01</revised>
+ <bug>125289</bug>
+ <access>remote</access>
+ <affected>
+ <package name="games-fps/cube" auto="yes" arch="*">
+ <vulnerable range="le">20050829</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>
+ Cube is an open source first person shooter game engine supporting
+ multiplayer via LAN or internet.
+ </p>
+ </background>
+ <description>
+ <p>
+ Luigi Auriemma reported that Cube is vulnerable to a buffer
+ overflow in the sgetstr() function (CVE-2006-1100) and that the
+ sgetstr() and getint() functions fail to verify the length of the
+ supplied argument, possibly leading to the access of invalid memory
+ regions (CVE-2006-1101). Furthermore, he discovered that a client
+ crashes when asked to load specially crafted mapnames (CVE-2006-1102).
+ </p>
+ </description>
+ <impact type="high">
+ <p>
+ A remote attacker could exploit the buffer overflow to execute
+ arbitrary code with the rights of the user running cube. An attacker
+ could also exploit the other vulnerabilities to crash a Cube client or
+ server, resulting in a Denial of Service.
+ </p>
+ </impact>
+ <workaround>
+ <p>
+ Play solo games or restrict your multiplayer games to trusted
+ parties.
+ </p>
+ </workaround>
+ <resolution>
+ <p>
+ Upstream stated that there will be no fixed version of Cube, thus
+ the Gentoo Security Team decided to hardmask Cube for security reasons.
+ All Cube users are encouraged to uninstall Cube:
+ </p>
+ <code>
+ # emerge --ask --unmerge games-fps/cube</code>
+ </resolution>
+ <references>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1100">CVE-2006-1100</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1101">CVE-2006-1101</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1102">CVE-2006-1102</uri>
+ </references>
+ <metadata tag="submitter" timestamp="2006-03-11T12:37:07Z">
+ DerCorny
+ </metadata>
+ <metadata tag="bugReady" timestamp="2006-03-11T16:16:08Z">
+ koon
+ </metadata>
+</glsa>