A CVE has been assigned for a security issue fixed upstream in teeworlds: http://openwall.com/lists/oss-security/2016/11/17/8 The issue was fixed in 0.6.4, which is already in Cauldron.
available on mga 5 updates_testing SRPMS: teeworlds-0.6.4-1.mga5
CC: (none) => mageiaAssignee: rverschelde => qa-bugs
Rémi, could you write the advisory for this one?
CC: (none) => rverschelde
MGA5-32 oln AcerD620 Xfce No installation issues Following bug 14672 Comment 4, I could connect to an outside server, configure and start own server and connect client to it.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Testing MGA5 x64 real hardware, stand-alone machine. BEFORE update: teeworlds-server-0.6.3-1.mga5 teeworlds-data-0.6.3-1.mga5 teeworlds-0.6.3-1.mga5 Just running Teeworlds from the Games menu worked; it asks for a player name. It presents a list of servers, I picked a Vanilla one which displayed a game which moved. Enough! For the server, I made a mess. I created ~/server_default.cfg rather than ~/.teeworlds/server_default.cfg as per https://bugs.mageia.org/show_bug.cgi?id=14672#c4 with "sv_name localhost". BTAIM I added via MCC Security->Personal Firewall->Advanced port 8303/udp & port 8303/tcp, *not* (supposedly) applicable to the Internet connection; and launched the server: $ teeworlds-srv -f ~/.teeworlds/server_default.cfg which outputs a lot (here including "failed to open '/home/lewis/.teeworlds/server_default.cfg'") ending with "server registered". To connect from the client I tried 127.0.0.1 in both Host and Server fields, and it showed the same game as previously, but I do not know from where. AFTER update: teeworlds-server-0.6.4-1.mga5 teeworlds-0.6.4-1.mga5 teeworlds-data-0.6.4-1.mga5 The client worked OK as before, externally. Starting the server: $ teeworlds-srv -f ~/.teeworlds/server_default.cfg (still without the config file in the right place), it worked with a vengance because 2 external players connected. From the client my own connections & disconnections citing 127.0.0.1 in both Host & Server fields appeared in the server O/P. I killed it quickly, and undid the firewall permissions. Putting the config file in its correct place ~/.teeworlds/server_default.cfg and re-starting the server reported correctly "server name is 'localhost'". To connect from the client, I put 'localhost' in the Quick Search field, which showed for the Host address field below '127.0.0.1:8303', and asked for the password before continuing OK. Because the Firewall was still blocked, there were ERROR complaints about that. But my own local connect/leave registered. So you can test the server locally *without* opening port 8303 if you ignore the ERRORs about that, citing the server name defined in the config file in the client's server search field. And if you do open the port, *beware* of incoming connections. Update OK and validated. The Advisory is awaited.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Advisory: ========= Updated teeworlds packages fix security vulnerability A security vulnerability was found in the Teeworlds client logic that could enable remote code execution on the client by malicious servers (CVE-2016-9400). This maintenance release fixes it. References: - https://www.teeworlds.com/?page=news&id=12086 - http://openwall.com/lists/oss-security/2016/11/16/8 SRPM in core/updates_testing: ============================= - teeworlds-0.6.4-1.mga5
@Rémi Thanks for the Advisory. It is now uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0407.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/707700/