Comment #2 of that bug report says that the Fedora version isn't aaffected, we
have the same version in cauldron so we aren't affected for mga 2. I'll have to
review ioquake3 for mga 1.

This is what the author of TurtleArena says:

--
The issue is only present in the first release, named TMNT Arena
(2009-12-11). Turtle Arena 0.2 (2010-05-31) and later have the fix.

Turtle Arena 0.6 was released April 13 2012. It would be nice to
update the version in Mageia 2 if possible. I hadn't planned to
support 0.5.3 long term as it was a beta release leading to 0.6.
--

So this one is safe too. About updating to 0.6, WTDT ?

(In reply to comment #2)
> So this one is safe too. About updating to 0.6, WTDT ?

That sounds like a good idea.  You would just need to do it very soon and do a good job of explaining the reasons for it when you request the freeze push.

Ok, I'll try to do it tonight (I have been a little short of spare time lately :( ).

I looked at the Debian patches for openarena and the code in our Cauldron package, and it already has the patches.  Looks like Cauldron is unaffected.

Version: Cauldron => 1
Blocks: 5046 => (none)

Assigned to qa-bugs as I submitted a tremulous to Mageia 1 testing.

It fixes :
- CVE-2011-2764
- CVE-2011-3012
- CVE-2010-5077

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Thanks José.  We also need updates for openarena and ioquake3 before this is ready to be pushed.  Are there any other games in Mageia 1 based on the Quake 3 engine?  I noticed ones called teeworlds and alienarena with similar names that say they are FPSs as well.

CVE-2011-3012, CVE-2011-2764 also need to be looked into.

I looked at one of the patches for CVE-2011-2764 and it is missing in openarena in Mageia 2.

Here are some references:
https://bugzilla.redhat.com/show_bug.cgi?id=725951
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660836
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635734

According to a comment in the RedHat bug, alienarena uses a fork of the Quake3 engine, and may be affected by any of these CVEs.

Assigning Josè as this is not yet ready for QA. 

Please reassign when you've had a chance to look. Thanks.

CC: (none) => qa-bugs
Hardware: i586 => All
Assignee: qa-bugs => lists.jjorge

Something was done the wrong way here : patched tremulous is available since two months, and was not tested because this bug was assigned back to me.

I don't feel waiting for every game to be patched is sane, as I don't even package them...

Please validate the tremulous update at least, then reassign to other packagers for other games....

Assignee: lists.jjorge => qa-bugs

Maybe Juan can help out with the other packages.

I'll file a new bug just for tremulous so it can go to QA.

Assignee: qa-bugs => juan.baptiste

Packages that still need to be evaluated and/or fixed:
- ioquake3 (CVE-2010-5077 is fixed in Mageia 2, need to look at the others)
- openarena (CVE-2010-5077 is fixed in Mageia 2, need to look at the others)
- urbanterror
- teeworlds
- alienarena

Urban Terror isn't affected in Mageia 2 as it uses ioquake3 as engine. alienarena needs to be checked and teeworlds isn't based on Quake 3 engine.

A new version of AlienArena has been release. Its available here: http://red.planetarena.org/aquire.html Maybe it will fix any problems, if any, with that particular game.

CC: (none) => lee8oi

There's also CVE-2011-1412:
http://lwn.net/Vulnerabilities/454440/

We are safe for those two CVE's (2011-1412 and 2011-2764), according to Fedora advisories, they're fixed on ioquake3 revision 2102:

--------------------------
Update Information:

- Update to 1.36 svn snapshot r2102
- This fixes 2 security issues where a malicious server could execute arbitrary code on connecting
clients (rhbz#725951):
- CVE-2011-1412: Execute arbitrary shell commands on connecting clients
- CVE-2011-2764: Arbitrary code execution when native-code DLLs are enabled
--------------------------

Which is the same one we currently have, both in mga 2 and cauldron.

What about Mageia 1?  Also, could it still affect any of the other packages?

Just ioquake3, the other games were not part of mga 1.

I looked at cauldron's package and those vulnerabilities aren't fixed as patches that we could easily take an add to the mga 1 branch, they come with the update to the 2102 release. So I think that the cauldron version should be pushed to mga 1 as an update.

(In reply to comment #20)
> I looked at cauldron's package and those vulnerabilities aren't fixed as
> patches that we could easily take an add to the mga 1 branch, they come with
> the update to the 2102 release. So I think that the cauldron version should be
> pushed to mga 1 as an update.

That sounds like the best course of action to me.

I'm currently working on the update for Mga 1, it'll be available for testing
in a bit.

Ok, update ready for testing on core/updates_testing. Please test it.

(In reply to comment #23)
> Ok, update ready for testing on core/updates_testing. Please test it.

We'll need to file a new bug just for that, as this is now a tracker and there are still other packages that need to be addressed.  Which CVEs have we now addressed with the ioquake3 update?

ioquake3-1.36-6.svn2102.2.mga1

The ones on comment #17

(In reply to comment #25)
> The ones on comment #17

What about CVE-2010-5077 and CVE-2011-3012?

Those too.

Current status:

- ioquake3, should be OK in Mageia 2, update candidate available for Mageia 1
- openarena, CVE-2010-5077 is fixed in Mageia 2, need to look at the others
- urbanterror, not present in Mageia 1, uses system ioquake3 in Mageia 2
- teeworlds, doesn't use ioquake3 engine, not affected
- alienarena, still needs to be looked at

Hopefully none of these issues still exist in Mageia 3 or Cauldron.

Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

QA Contact: (none) => security

Actually closing...

Status: ASSIGNED => RESOLVED
Resolution: (none) => OLD