Bug#406400: nexuiz: Open security fixes in Etch
Cyril Brulebois
cyril.brulebois at enst-bretagne.fr
Thu Jan 11 20:29:17 CET 2007
Moritz Muehlenhoff <jmm at inutil.org> (11/01/2007):
> Security databases typically don't investigate very much; they only
> provide a quick write-up. Can you please contact upstream?
Sure. Here is a little cut & paste from #alientrap/irc.irule.net:
<KiBi> As a member of the Debian Games Team, I'd like to get some
precisions about CVE-2006-6610
<div0> ok
<KiBi> It is stated about "remote console command injection", but I'd
like to know whether that means game command injection or
arbitrary shell commands
<div0> anyone could inject Quake console commands...
<div0> not shell commands
<div0> the impact is overwriting config files in ~/.nexuiz and DoS
against the server
<div0> it should not be possible to destroy anything else
<KiBi> OK, many thanks.
<div0> and of course manipulation of the server, like changing its host
name or MOTD for propaganda or stuff like that
<KiBi> Sure. Just wanted to know about ``outside impact''.
<div0> so if someone was affected by such an attack, I'd recommend "rm
-rf ~/.nexuiz" and restoring the config directory
> > Since 2.2.1-1 has been in sid for 26 days, I was wondering whether
> > pushing this version into etch would an acceptable fix.
>
> I agree that would be a viable approach. It also features better
> multi-player compatibility.
Shall I ask on debian-release for a hint, with a [security] tag in the
topic or something like that, or something totally different? You can
also contact me on OFTC, nickname: KiBi.
Cheers,
--
Cyril Brulebois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20070111/233584dc/attachment.pgp
More information about the Pkg-games-devel
mailing list