Bug#406400: nexuiz: Open security fixes in Etch

Moritz Muehlenhoff jmm at inutil.org
Thu Jan 11 19:14:32 CET 2007


On Thu, Jan 11, 2007 at 05:35:25AM +0100, Cyril Brulebois wrote:
> Moritz Muehlenhoff <jmm at debian.org> (10/01/2007):
> > I'm currently busy and hadn't had the time to investigate it myself
> > yet, but it should be tracked for Etch:
> >  - fixed fake players DoS (CVE-2006-6609)
> >  - fixed clientcommands remote console command injection (CVE-2006-6610)
> > 
> > If the second vulnerability refers to shell command execution and not
> > to some kind of in-game-console ala Quake this warrants an RC security
> > bug.
> 
> By googling on the CVE IDs, I found a site[1] stating that it is about
> shell command execution:
> 
> ``A remote attacker could exploit this vulnerability to execute
>   arbitrary commands on the system.''
> 
>  1. http://xforce.iss.net/xforce/xfdb/30875

Security databases typically don't investigate very much; they only
provide a quick write-up. Can you please contact upstream?
 
> Since 2.2.1-1 has been in sid for 26 days, I was wondering whether
> pushing this version into etch would an acceptable fix.

I agree that would be a viable approach. It also features better multi-player
compatibility.

Cheers,
        Moritz




More information about the Pkg-games-devel mailing list