Bug#406400: nexuiz: Open security fixes in Etch
Steve Langasek
vorlon at debian.org
Sun Jan 14 23:54:54 CET 2007
severity 406400 important
thanks
On Thu, Jan 11, 2007 at 08:29:17PM +0100, Cyril Brulebois wrote:
> Sure. Here is a little cut & paste from #alientrap/irc.irule.net:
> <KiBi> As a member of the Debian Games Team, I'd like to get some
> precisions about CVE-2006-6610
> <div0> ok
> <KiBi> It is stated about "remote console command injection", but I'd
> like to know whether that means game command injection or
> arbitrary shell commands
> <div0> anyone could inject Quake console commands...
> <div0> not shell commands
> <div0> the impact is overwriting config files in ~/.nexuiz and DoS
> against the server
> <div0> it should not be possible to destroy anything else
> <KiBi> OK, many thanks.
> <div0> and of course manipulation of the server, like changing its host
> name or MOTD for propaganda or stuff like that
> <KiBi> Sure. Just wanted to know about ``outside impact''.
> <div0> so if someone was affected by such an attack, I'd recommend "rm
> -rf ~/.nexuiz" and restoring the config directory
This doesn't sound like a release-critical security hole then, since it's
not true arbitrary command execution.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the Pkg-games-devel
mailing list