You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa teeworlds

Sigurnosni nedostaci programskog paketa teeworlds

openSUSE Security Update: Security update for teeworlds
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1999-1
Rating: moderate
References: #1112910 #1131729
Cross-References: CVE-2018-18541 CVE-2019-10877 CVE-2019-10878
CVE-2019-10879
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for teeworlds fixes the following issues:

– CVE-2019-10879: An integer overflow in CDataFileReader::Open() could
have lead to a buffer overflow and possibly remote code execution,
because size-related multiplications were mishandled. (boo#1131729)
– CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and
CDataFileReader::ReplaceData() and related functions could have lead to
an arbitrary free and out-of-bounds pointer write, possibly resulting in
remote code execution.
– CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a
buffer overflow, because multiplication of width and height were
mishandled.
– CVE-2018-18541: Connection packets could have been forged. There was no
challenge-response involved in the connection build up. A remote
attacker could have sent connection packets from a spoofed IP address
and occupy all server slots, or even use them for a reflection attack
using map download packets. (boo#1112910)

– Update to version 0.7.3.1
* Colorful gametype and level icons in the browser instead of grayscale.
* Add an option to use raw mouse inputs, revert to (0.6) relative mode
by default.
* Demo list marker indicator.
* Restore ingame Player and Tee menus, add a warning that a reconnect is
needed.
* Emotes can now be cancelled by releasing the mouse in the middle of
the circle.
* Improve add friend text.
* Add a confirmation for removing a filter
* Add a “click a player to follow” hint
* Also hint players which key they should press to set themselves ready.
* fixed using correct array measurements when placing egg doodads
* fixed demo recorder downloaded maps using the sha256 hash
* show correct game release version in the start menu and console
* Fix platform-specific client libraries for Linux
* advanced scoreboard with game statistics
* joystick support (experimental!)
* copy paste (one-way)
* bot cosmetics (a visual difference between players and NPCs)
* chat commands (type / in chat)
* players can change skin without leaving the server (again)
* live automapper and complete rules for 0.7 tilesets
* audio toggling HUD
* an Easter surprise…
* new gametypes: “last man standing” (LMS) and “last team standing”
(LTS). survive by your own or as a team with limited weaponry
* 64 players support. official gametypes are still restricted to 16
players maximum but allow more spectators
* new skin system. build your own skins based on a variety of provided
parts
* enhanced security. all communications require a handshake and use a
token to counter spoofing and reflection attacks
* new maps: ctf8, dm3, lms1. Click to discover them!
* animated background menu map: jungle, heavens (day/night themes,
customisable in the map editor)
* new design for the menus: added start menus, reworked server browser,
settings
* customisable gametype icons (browser). make your own!
* chat overhaul, whispers (private messages)
* composed binds (ctrl+, shift+, alt+)
* scoreboard remodelled, now shows kills/deaths
* demo markers
* master server list cache (in case the masters are unreachable)
* input separated from rendering (optimisation)
* upgrade to SDL2. support for multiple monitors, non-english keyboards,
and more
* broadcasts overhaul, optional colours support
* ready system, for competitive settings
* server difficulty setting (casual, competitive, normal), shown in the
browser
* spectator mode improvements: follow flags, click on players
* bot flags for modified servers: indicate NPCs, can be filtered out in
the server browser
* sharper graphics all around (no more tileset_borderfix and dilate)
* refreshed the HUD, ninja cooldown, new mouse cursor
* mapres update (higher resolution, fixes…)

This update was imported from the openSUSE:Leap:15.1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1999=1

Package List:

– openSUSE Backports SLE-15-SP1 (aarch64 ppc64le x86_64):

teeworlds-0.7.3.1-bp151.2.3.3

References:

https://www.suse.com/security/cve/CVE-2018-18541.html
https://www.suse.com/security/cve/CVE-2019-10877.html
https://www.suse.com/security/cve/CVE-2019-10878.html
https://www.suse.com/security/cve/CVE-2019-10879.html
https://bugzilla.suse.com/1112910
https://bugzilla.suse.com/1131729


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa go1.12

Otkriveni su sigurnosni nedostaci u programskom paketu go1.12 za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja...

Close