Bug 20470

Summary: ioquake3 new security vulnerability (CVE-2017-6903)
Product: Mageia Reporter: Rémi Verschelde <rverschelde>
Component: SecurityAssignee: Rémi Verschelde <rverschelde>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, mageia
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ioquake3 CVE:
Status comment:
Bug Depends on: 21580    
Bug Blocks:    

Description Rémi Verschelde 2017-03-14 07:48:03 CET 
ioquake3 upstream announced having fixed a big security vulnerability: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/

They advise to update to their latest test build... I asked upstream if they should not consider making a release instead if they've come down to disencourage using their stable release... http://discourse.ioquake.org/t/important-security-update-please-update-ioquake3-immediately/832/3?u=akien

Otherwise the fix is quite simple so should be cherry-pickable if we don't want to update to their git master as they seem to advise: https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
Rémi Verschelde 2017-03-14 07:50:30 CET

Whiteboard: (none) => MGA5TOO

David Walser 2017-03-18 20:45:34 CET

Component: RPM Packages => Security

Comment 1 David Walser 2017-03-19 16:05:41 CET 
Debian has issued an advisory for this on March 18:
https://www.debian.org/security/2017/dsa-3812

Summary: ioquake3 new security vulnerability => ioquake3 new security vulnerability (CVE-2017-6903)
QA Contact: (none) => security

Comment 2 David Walser 2017-05-14 01:01:19 CEST 
It looks like Rémi fixed this in Cauldron in 1.36-12.20170428.1.mga6.

Mageia 5 still has yet to be addressed.

Version: Cauldron => 5
CC: (none) => luigiwalser
Whiteboard: MGA5TOO => (none)

Comment 3 Rémi Verschelde 2017-05-14 21:02:55 CEST 
Indeed, I forgot about Mageia 5. I'll push the same update there.
Comment 4 David Walser 2017-07-09 02:10:13 CEST 
Ping Rémi.
Comment 5 Rémi Verschelde 2017-07-09 07:50:27 CEST 
Sorry for the delay, when I looked into it it was more complex than I thought. 

Just rebasing the Mageia 5 on Cauldron means breaking compatibility to some extent, and the code being patched is quite different is the super old ioquake3 version of Mageia 5.
Comment 6 Nicolas Lécureuil 2017-08-14 16:23:41 CEST 
can't we update ioquake3 and extents ?

CC: (none) => mageia

David Walser 2017-08-20 20:06:40 CEST

Depends on: (none) => 21580

Comment 7 David Walser 2017-12-27 04:53:16 CET 
Guessing that we don't intend to update this at this point.  Closing.

Resolution: (none) => OLD
Status: NEW => RESOLVED