Bug#870725: CVE-2017-11721: read buffer overflow in MSG_ReadBits
Simon McVittie
smcv at debian.org
Sat Aug 5 10:47:23 UTC 2017
Control: retitle -1 CVE-2017-11721: read buffer overflow in MSG_ReadBits
Control: tags -1 + upstream fixed-upstream patch
Control: forwarded -1 https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1
On Fri, 04 Aug 2017 at 16:30:46 +0200, Moritz Muehlenhoff wrote:
> Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721
I have fixed this in unstable with a newer upstream snapshot. I suspect
that the bug is also present in all older suites, but I have not had
time to research that. Any suite where the upstream commit cherry-picks
successfully is probably vulnerable.
I am travelling (to Debconf) and finishing writing a talk, so I will
be unable to address this in older suites for now. If someone from the
security or games team wants to prepare and upload a backport of the
commit referenced by MITRE, please go ahead. From the commit message
and a quick read through the code, my understanding is that only the
MSG_ReadBits side is security-sensitive, with the MSG_WriteBits side
being merely for correctness (the buffer overflow check is too
pessimistic and will sometimes report an overflow when there are in
fact a few bytes left); but I could be wrong, and taking the entire
commit is probably the safer option.
The debian/stretch and debian/jessie branches in
https://anonscm.debian.org/git/pkg-games/ioquake3.git should be up to
date, and that git repository also contains the upstream commit
d2b1d124d4055c2fcbe5126863487c52fd58cca1.
Otherwise, I'll come back to this after I've given my my talk at Debconf,
assuming I can recruit someone running stable to smoke-test the new
version.
Thanks,
S
More information about the Pkg-games-devel
mailing list