| |||||||||||||||||||
Mageia alert MGASA-2012-0148 (tremulous)
MGASA-2012-0148 Date: July 9th, 2012 Affected releases: 1 Description: Updated tremulous package fixes security vulnerabilities: It has been discovered that spoofed "getstatus" UDP requests are being sent by attackers to servers for use with games derived from the Quake 3 engine (such as openarena). These servers respond with a packet flood to the victim whose IP address was impersonated by the attackers, causing a denial of service (CVE-2010-5077). The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file (CVE-2011-2764). The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous file extensions before writing to the quake3 directory, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file (CVE-2011-3012). Updated Packages: tremulous-1.2.0-0.beta1.1.2.mga1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3012 http://www.debian.org/security/2012/dsa-2442 http://lists.fedoraproject.org/pipermail/package-announce... https://bugs.mageia.org/show_bug.cgi?id=6565 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-... (Log in to post comments)
|
|||||||||||||||||||