| Summary: | teeworlds new security issue CVE-2018-18541 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | teeworlds-0.6.4-3.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 0.6.5 | ||
|
Description
David Walser
2018-11-08 17:39:30 CET
David Walser
2018-11-08 17:39:38 CET
Whiteboard:
(none) =>
MGA6TOO Fedora has issued an advisory for this on October 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QDDT3SVGR3NGVGFDQGXISYRJZLF7FYOS/ The issue is fixed upstream in 0.6.5. Status comment:
(none) =>
Fixed upstream in 0.6.5
Rémi Verschelde
2018-11-08 20:35:17 CET
Status:
NEW =>
ASSIGNED Fixed in Cauldron with teeworld-0.6.5-1.mga7. Pushed the same version for Mageia 6: Advisory: ========= Updated teeworlds packages fix security vulnerability It was discovered that incorrect connection setup in the server for Teeworlds, an online multi-player platform 2D shooter, could result in denial of service via forged connection packets (rendering all game server slots occupied) (CVE-2018-18541). This update fixes it. References: - https://www.debian.org/security/2018/dsa-4329 - https://www.teeworlds.com/?page=news&id=12544 - https://github.com/teeworlds/teeworlds/commits/0.6.5-release RPMs in core/updates_testing: ============================= teeworlds-0.6.5-1.mga6 teeworlds-data-0.6.5-1.mga6 teeworlds-server-0.6.5-1.mga6 SRPM in core/updates_testing: ============================= teeworlds-0.6.5-1.mga6 Assignee:
rverschelde =>
qa-bugs MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Tried to play locally, so started server as normal user.
Remark. the command teeworld-srv is not available to root.
You have to let port 8303/udp thru the firewall.
$ teeworlds-srv
[5bec1483][engine]: running on unix-linux-ia32
[5bec1483][engine]: arch is little endian
[5bec1483][storage]: couldn't open storage.cfg
[5bec1483][storage]: using standard paths
and more .... but also
failed to create socket with domain 10 and type 2 (97 'Address family not supported by protocol')
but it goes on
server name is 'unnamed server'
[5bec1483][datafile]: loading data index=17 size=325 uncompressed=12000
[5bec1483][server]: version 0.6 e42d81cd67b8c7bc
[5bec1483][engine/mastersrv]: refreshing master server addresses
[5bec1483][register]: refreshing ip addresses
[5bec1483][engine/mastersrv]: saving addresses
[5bec1483][register]: fetching server counts
[5bec1486][register]: chose 'master4.teeworlds.com' as master, sending heartbeats
at that point I started the client - see below
[5bec14aa][server]: player is ready. ClientID=0 addr=192.168.2.6:63117
[5bec14ab][server]: 'nameless tee' -> 'nameless tee'
[5bec14ab][server]: player has entered the game. ClientID=0 addr=192.168.2.6:63117
[5bec14ab][chat]: *** 'nameless tee' entered and joined the game
[5bec14ab][game]: team_join player='0:nameless tee' team=0
Choosing the master does not give anything because my router does not let thru port 8303
Playing the client:
$ teeworlds
[5bec149c][engine]: running on unix-linux-ia32
[5bec149c][engine]: arch is little endian
[5bec149c][storage]: couldn't open storage.cfg
[5bec149c][storage]: using standard paths
[5bec149c][storage]: added path '$USERDIR' ('/home/tester6/.teeworlds')
[5bec149c][storage]: added path '$DATADIR' ('/usr/share/teeworlds/data')
[5bec149c][storage]: added path '$CURRENTDIR' ('/home/tester6')
[5bec149c][binds]: bound f1 (282) = toggle_local_console
[5bec149c][binds]: bound f2 (283) = toggle_remote_console
and more.... but again
failed to create socket with domain 10 and type 2 (97 'Address family not supported by protocol')
[5bec149d][net]: failed to create socket with domain 10 and type 2 (97 'Address family not supported by protocol')
the first config is choosing a username, and then you get a list of available servers on the internet. Click on the LAN tab and select your local server
At last a playing screen opens where a little I-don't-know-what folllows the mouse movements wit its guns and fires when you click.
That's more than I am really interested in, so <Escape> and quit
Fair enough for me.
but at least the playing screen opens and you have a little I-don't-know-what that follow the mouse movCC:
(none) =>
herman.viaene Thanks Herman for doing battle! Advisory from comment 2; validating. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0450.html Resolution:
(none) =>
FIXED |