Security release 0.2.8.3.3 for Debian

For all the help you need with Armagetron!
Post Reply
Apo
Posts: 8
Joined: Fri Aug 29, 2014 12:07 pm

Security release 0.2.8.3.3 for Debian

Post by Apo »

Hello,

I just saw your new release but I couldn't find any CVE identifiers for it. So the question is: how bad is it? From looking at the release notes it sounds the security bugs are remotely exploitable but I cannot assess how harmful they really are. I am the Debian maintainer for ArmagetronAD and I would like to fix those issues also in Debian's stable release. But for that I would need a targeted fix, just a patch for the security bugs, because the new release contains too much unrelated noise which makes it difficult for our release team to review the changes.

I would be glad if you could point me to the relevant commits. I might then be able to write the patch myself.
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: Security release 0.2.8.3.3 for Debian

Post by Z-Man »

Oh, certainly. Sorry, I meant to contact you guys. The place to look for the individual patches is the history of the 0.2.8.3 branch:
https://sourceforge.net/p/armagetronad/ ... magetronad
Revision 9914 is where 0.2.8.3.2 was build from.

The fixes for remote exploits (no code execution, just DoS) is in revision 10706:
https://sourceforge.net/p/armagetronad/code/10706/

Two earlier fixes for theoretical resp. rare crashes were also included:
https://sourceforge.net/p/armagetronad/code/10505/ (the theoretical one; no, I don't know why the bad code ever worked)
https://sourceforge.net/p/armagetronad/code/10393/ (the rare one)
Both are non-exploitable, they either happen or don't depending on the mood of the compiler or sound mixer scheduling.

The rest of the changes in the branch since 0.2.8.3.2 are not general crash or security related.

I'll try to produce cleaned up patches against the 0.2.8.3.2 source tarball later today.
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: Security release 0.2.8.3.3 for Debian

Post by Z-Man »

Here are the patches. Pick just one, they are not cascading; I recommend _crash_and_security.

For _security and _crash_and_security, you're responsible for updating to an appropriate version number yourself. These patches are as clean as possible.

The _raw patch is the minimum possible patch to bring an extracted 0.2.8.3.2 tarball up to the state of full 0.2.8.3.3; the changes to configure.ac are included and a run of ./bootstrap.sh is required to update all the autogenerated files.
Attachments
armagetronad-0.2.8.3.3_security.patch.bz2
Just the DoS fixes. No updates to the build system or other bugfixes. (Build version also untouched)
(1.54 KiB) Downloaded 108 times
armagetronad-0.2.8.3.3_crash_and_security.patch.bz2
Just the crash and security fixes; no updates to the build system or other bugfixes. (Build version also untouched)
(2.08 KiB) Downloaded 107 times
armagetronad-0.2.8.3.3_raw.patch.bz2
Raw patch from 0.2.8.3.2 to 0.2.8.3.3 without changes to files autoconf/automake handles.
(4.09 KiB) Downloaded 92 times
Apo
Posts: 8
Joined: Fri Aug 29, 2014 12:07 pm

Re: Security release 0.2.8.3.3 for Debian

Post by Apo »

Thank you very much. I will try your recommendation and at the moment I am tracking this issue at

https://bugs.debian.org/780178
Post Reply