FS#54262 - [urbanterror] arbitrary code execution (CVE-2017-6903)
Attached to Project:
Community Packages
Opened by Pablo Lezaeta (Jristz) - Friday, 02 June 2017, 07:08 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Friday, 30 June 2017, 16:40 GMT
Opened by Pablo Lezaeta (Jristz) - Friday, 02 June 2017, 07:08 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Friday, 30 June 2017, 16:40 GMT
|
Details
Summary
======= The package urbanterror is vulnerable to arbitrary code execution via CVE-2017-6903. Guidance ======== Backport fix based on patchset for urbanterror [1] [1] https://github.com/Barbatos/ioq3-for-UrbanTerror-4/pull/73 References ========== https://security.archlinux.org/AVG-227 https://github.com/Barbatos/ioq3-for-UrbanTerror-4/issues/71 https://github.com/Barbatos/ioq3-for-UrbanTerror-4/pull/73 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699 https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ |
This task depends upon
Closed by Sven-Hendrik Haase (Svenstaro)
Friday, 30 June 2017, 16:40 GMT
Reason for closing: Won't fix
Friday, 30 June 2017, 16:40 GMT
Reason for closing: Won't fix
Comment by
Sven-Hendrik Haase (Svenstaro) -
Saturday, 10 June 2017, 03:35 GMT
Comment by
Bartłomiej Piotrowski (Barthalion)
- Thursday, 29 June 2017, 09:59 GMT
Comment by
Sven-Hendrik Haase (Svenstaro) -
Thursday, 29 June 2017, 13:43 GMT
Comment by
Sven-Hendrik Haase (Svenstaro) -
Friday, 30 June 2017, 16:37 GMT
We use the prebuilt binaries because urbanterror doesn't build
properly and it was a big hassle to maintain otherwise. Can we get
upstream to make a new release with these fixes?
What is the point of having it in repositories if it just
repackages a binary? Its place is in Flatpak, snap or AUR, not our
official repo.
Yeah probably you're right. Going to drop urbanterror. It's a
total PITA to build from source.
Dropped to AUR.