Hello,
I just saw your new release but I couldn't find any CVE identifiers for it. So the question is: how bad is it? From looking at the release notes it sounds the security bugs are remotely exploitable but I cannot assess how harmful they really are. I am the Debian maintainer for ArmagetronAD and I would like to fix those issues also in Debian's stable release. But for that I would need a targeted fix, just a patch for the security bugs, because the new release contains too much unrelated noise which makes it difficult for our release team to review the changes.
I would be glad if you could point me to the relevant commits. I might then be able to write the patch myself.
Security release 0.2.8.3.3 for Debian
Re: Security release 0.2.8.3.3 for Debian
Oh, certainly. Sorry, I meant to contact you guys. The place to look for the individual patches is the history of the 0.2.8.3 branch:
https://sourceforge.net/p/armagetronad/ ... magetronad
Revision 9914 is where 0.2.8.3.2 was build from.
The fixes for remote exploits (no code execution, just DoS) is in revision 10706:
https://sourceforge.net/p/armagetronad/code/10706/
Two earlier fixes for theoretical resp. rare crashes were also included:
https://sourceforge.net/p/armagetronad/code/10505/ (the theoretical one; no, I don't know why the bad code ever worked)
https://sourceforge.net/p/armagetronad/code/10393/ (the rare one)
Both are non-exploitable, they either happen or don't depending on the mood of the compiler or sound mixer scheduling.
The rest of the changes in the branch since 0.2.8.3.2 are not general crash or security related.
I'll try to produce cleaned up patches against the 0.2.8.3.2 source tarball later today.
https://sourceforge.net/p/armagetronad/ ... magetronad
Revision 9914 is where 0.2.8.3.2 was build from.
The fixes for remote exploits (no code execution, just DoS) is in revision 10706:
https://sourceforge.net/p/armagetronad/code/10706/
Two earlier fixes for theoretical resp. rare crashes were also included:
https://sourceforge.net/p/armagetronad/code/10505/ (the theoretical one; no, I don't know why the bad code ever worked)
https://sourceforge.net/p/armagetronad/code/10393/ (the rare one)
Both are non-exploitable, they either happen or don't depending on the mood of the compiler or sound mixer scheduling.
The rest of the changes in the branch since 0.2.8.3.2 are not general crash or security related.
I'll try to produce cleaned up patches against the 0.2.8.3.2 source tarball later today.
Re: Security release 0.2.8.3.3 for Debian
Here are the patches. Pick just one, they are not cascading; I recommend _crash_and_security.
For _security and _crash_and_security, you're responsible for updating to an appropriate version number yourself. These patches are as clean as possible.
The _raw patch is the minimum possible patch to bring an extracted 0.2.8.3.2 tarball up to the state of full 0.2.8.3.3; the changes to configure.ac are included and a run of ./bootstrap.sh is required to update all the autogenerated files.
For _security and _crash_and_security, you're responsible for updating to an appropriate version number yourself. These patches are as clean as possible.
The _raw patch is the minimum possible patch to bring an extracted 0.2.8.3.2 tarball up to the state of full 0.2.8.3.3; the changes to configure.ac are included and a run of ./bootstrap.sh is required to update all the autogenerated files.
- Attachments
-
- armagetronad-0.2.8.3.3_security.patch.bz2
- Just the DoS fixes. No updates to the build system or other bugfixes. (Build version also untouched)
- (1.54 KiB) Downloaded 108 times
-
- armagetronad-0.2.8.3.3_crash_and_security.patch.bz2
- Just the crash and security fixes; no updates to the build system or other bugfixes. (Build version also untouched)
- (2.08 KiB) Downloaded 107 times
-
- armagetronad-0.2.8.3.3_raw.patch.bz2
- Raw patch from 0.2.8.3.2 to 0.2.8.3.3 without changes to files autoconf/automake handles.
- (4.09 KiB) Downloaded 92 times
Re: Security release 0.2.8.3.3 for Debian
Thank you very much. I will try your recommendation and at the moment I am tracking this issue at
https://bugs.debian.org/780178
https://bugs.debian.org/780178