Bug#1122289: robocode: CVE-2025-14306 CVE-2025-14307 CVE-2025-14308
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 9 21:48:54 GMT 2025
Source: robocode
Version: 1.9.3.9-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.9.3.9-3
Hi,
The following vulnerabilities were published for robocode.
CVE-2025-14306[0]:
| A directory traversal vulnerability exists in the CacheCleaner
| component of Robocode version 1.9.3.6. The recursivelyDelete method
| fails to properly sanitize file paths, allowing attackers to
| traverse directories and delete arbitrary files on the system. This
| vulnerability can be exploited by submitting specially crafted
| inputs that manipulate the file path, leading to potential
| unauthorized file deletions. https://robo-code.blogspot.com/
CVE-2025-14307[1]:
| An insecure temporary file creation vulnerability exists in the
| AutoExtract component of Robocode version 1.9.3.6. The
| createTempFile method fails to securely create temporary files,
| allowing attackers to exploit race conditions and potentially
| execute arbitrary code or overwrite critical files. This
| vulnerability can be exploited by manipulating the temporary file
| creation process, leading to potential unauthorized actions.
CVE-2025-14308[2]:
| An integer overflow vulnerability exists in the write method of the
| Buffer class in Robocode version 1.9.3.6. The method fails to
| properly validate the length of data being written, allowing
| attackers to cause an overflow, potentially leading to buffer
| overflows and arbitrary code execution. This vulnerability can be
| exploited by submitting specially crafted inputs that manipulate the
| data length, leading to potential unauthorized code execution.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-14306
https://www.cve.org/CVERecord?id=CVE-2025-14306
https://github.com/robo-code/robocode/pull/67
[1] https://security-tracker.debian.org/tracker/CVE-2025-14307
https://www.cve.org/CVERecord?id=CVE-2025-14307
https://github.com/robo-code/robocode/pull/68
[2] https://security-tracker.debian.org/tracker/CVE-2025-14308
https://www.cve.org/CVERecord?id=CVE-2025-14308
https://github.com/robo-code/robocode/pull/70
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list