Bug 14672 - Security vulnerability in teeworlds-server before 0.6.3
Summary: Security vulnerability in teeworlds-server before 0.6.3
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/624082/
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK a...
Keywords: validated_update
Depends on:
Reported: 2014-11-27 14:11 CET by Rémi Verschelde
Modified: 2014-12-02 19:37 CET (History)
2 users (show)

See Also:
Source RPM: teeworlds-0.6.1-5.mga3
Status comment:


Description Rémi Verschelde 2014-11-27 14:11:25 CET
Upstream for teeworlds has announced a security fix for teeworlds-server [1]:

"As a result of a recently reported security vulnerability in the server, this release contains little updates. [...] Fix the above-mentioned security vulnerability (Memory reads, Segmentation Fault) in all 0.6.x servers."

[1] https://www.teeworlds.com/forum/viewtopic.php?id=11200


Steps to Reproduce:
Comment 1 Rémi Verschelde 2014-11-27 14:20:40 CET
I packaged teeworlds 0.6.3 (the security fix release) for Mageia 4. Since this is a leaf package (game) and provides networking features, I chose to update to the latest release instead of trying to patch the 0.6.1 version of Mageia 4.

Note that the patch seems trivial [1] so if someone is against the version update, I can also revert my changes and patch version 0.6.1.

A CVE request has been filed [2].

Fedora has issued an update but seems not to like writing advisories [3].

Increasing the severity as per Debian's bug report [4].

[1] https://github.com/teeworlds/teeworlds/commit/a766cb44bcffcdb0b88e776d01c5ee1323d44f85
[2] http://seclists.org/oss-sec/2014/q4/790
[3] https://admin.fedoraproject.org/updates/FEDORA-2014-15670/teeworlds-0.6.3-1.fc21
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770514

Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 2 Rémi Verschelde 2014-11-27 14:28:46 CET
Suggested advisory:

A security flaw was found in the teeworlds server prior to 0.6.3
where an incorrect offset check could enable an attacker to read the
memory or trigger a segmentation fault.

The teeworlds package in Mageia 4 has been update to version 0.6.3,
thus providing the fix for this security flaw and a number of additional
bug fixes and new features as listed in the referenced changelogs.

 - https://www.teeworlds.com/forum/viewtopic.php?id=10330
 - https://www.teeworlds.com/forum/viewtopic.php?id=11200
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770514

SRPMs in core/updates_testing:
 - teeworlds-0.6.3-1.mga4

RPMs in core/updates_testing:
 - teeworlds-0.6.3-1.mga4
 - teeworlds-server-0.6.3-1.mga4
 - teeworlds-data-0.6.3-1.mga4.noarch
Comment 3 Rémi Verschelde 2014-11-27 14:30:53 CET
Note that the security flaw affected the teeworlds-server package (and the corresponding teeworlds-srv binary), so it would be nice to make sure that it is still possible to setup a teeworlds server, and play on it with the client.

Since this update also provides new features and bug fixes, the teeworlds client should also be tested against obvious regressions.
Comment 4 olivier charles 2014-11-28 21:22:13 CET
Testing on Mageia4-64 real HW

With current packages :
- teeworlds-0.6.1-5.mga3.x86_64
- teeworlds-data-0.6.1-5.mga3.x86_64
- teeworlds-server-0.6.1-5.mga3.x86_64

Launched teeworlds (client)
Could play online
Stopped teeworlds

In ~/.teeworlds, created a config file named server_default.cfg :

sv_name myserver
password mypassword
sv_rcon_password myadminpassword
sv_port 8303
sv_gametype dm
sv_warmup 10
sv_map dm1
sv_maprotation dm1 dm2 dm6
sv_max_clients 8
sv_scorelimit 20
sv_tournament_mode 0
sv_motd Bienvenu !
sv_powerups 1
sv_timelimit 0
sv_spectator_slots 0

In firewall, authorized port 8303 (udp and tcp)

In terminal :
$ teeworlds-srv -f ~/.teeworlds/server_default.cfg
after several messages :
[5478d5e4][game]: start round type='DM' teamplay='0'

Launched teeworld client in menu,
could connect to my lan server using password set up in config file.

Could play the game.

Stopped the server (Ctrl-C)

Updated to testing packages :
teeworlds 0.6.3 1.mga4 x86_64  
teeworlds-data 0.6.3 1.mga4 noarch  
teeworlds-server 0.6.3 1.mga4 x86_64

Could play the game on internet

To launch the server, former command didn't work. 
Changed it to :
$ /usr/games/teeworlds-srv -f ~/.teeworlds/server_default.cfg
which launched the server OK
Could connect on lan and play the game


CC: (none) => olchal
Whiteboard: (none) => MAG4-64-OK

olivier charles 2014-11-28 21:23:05 CET

Whiteboard: MAG4-64-OK => MGA4-64-OK

Comment 5 Rémi Verschelde 2014-11-28 21:47:24 CET
Thanks for the detailed procedure Olivier. It's a bit strange though that you had to start teeworlds-srv with the full path, /usr/games should be in your PATH.

Could you check `echo $PATH' and also the contents of /etc/profile?

It should have something along those lines:

if [ "$UID" -ge 500 ] ; then
    if ! echo ${PATH} |grep -q /usr/games ; then

Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK

Comment 6 olivier charles 2014-11-28 21:59:00 CET
Sorry, I just had to reboot and now I can launch it without giving the full path.
Comment 7 olivier charles 2014-11-28 22:09:40 CET
I guess it is because the path to teeworlds-server has changed : on teeworlds-server-0.6.1-5 it was in /usr/bin and now it's in /usr/games.
Comment 8 Rémi Verschelde 2014-11-28 22:52:08 CET
Ok good, I guess closing your terminal and opening a new one would have done the trick too.
Comment 9 olivier charles 2014-11-30 18:42:21 CET
Tested on Mageia4-32 realhardware

following procedure in Comment 4.

From :
teeworlds 0.6.1-5.mga3
teeworlds-data 0.6.1-5.mga3
teeworlds-server 0.6.1-5.mga3

To :
teeworlds-0.6.3-1.mga4                                                             teeworlds-data-0.6.3-1.mga4                                                             

This time, restarted terminal to relaunch teeworlds-server as advised by Remy.

All OK

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 10 Rémi Verschelde 2014-11-30 20:18:12 CET
Advisory uploaded.

Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory

Comment 11 claire robinson 2014-12-01 14:20:07 CET

Please push to updates.


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2014-12-01 18:57:40 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2014-12-02 19:37:52 CET

URL: https://www.teeworlds.com/forum/viewtopic.php?id=11200 => http://lwn.net/Vulnerabilities/624082/

Note You need to log in before you can comment on or make changes to this bug.