On 27/03/12 17:53, Florian Weimer wrote: >> Would the security team want to do this via the security archive, since >> it fixes a regression from a security fix, or should I talk to the stable >> release team? > > Yes, please submit the final debdiff prior to the upload.
See attached. Markus Koschany, the reporter of the original bug, has offered to test the prerelease build from <http://alioth.debian.org/~smcv/> on a public OA server. I suggest we wait for some testing - there's no need to hurry for the regression fix, it'll be fine for almost 50 days :-) Tremulous also has CVE-2010-5077, but it's contrib, so I assume you won't be issuing a DSA for that one? I've fixed it in unstable, and I'll talk to the stable release managers once it's hit testing. Regards, S
diff --git a/debian/changelog b/debian/changelog index 424f15d..a8ee8d6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,21 @@ +openarena (0.8.5-5+squeeze3) stable-security; urgency=low + + * Add CVE reference to changelog and patch for previous version, now that + one has been allocated + * Incorporate ioquake3 r1763 into the patch for rate-limiting, to fix + potential use of uninitialized variables if the network address family + is unexpected + * Apply ioquake3 r1898 to fix a regression caused by rate-limiting, + in which the server would stop responding to getstatus after an uptime + of 2**32 milliseconds (approximately 50 days) (Closes: #665945) + + -- Simon McVittie <s...@debian.org> Tue, 27 Mar 2012 21:49:11 +0100 + openarena (0.8.5-5+squeeze2) stable-security; urgency=low * Apply ioquake3 r1762 to rate-limit getstatus and rcon connectionless - packets, to avoid their use for traffic amplification. (Closes: #665656) + packets, to avoid their use for traffic amplification. + CVE-2010-5077 (Closes: #665656) -- Simon McVittie <s...@debian.org> Sun, 25 Mar 2012 19:34:53 +0100 diff --git a/debian/patches/0043-Rate-limit-getstatus-and-rcon-connectionless-request.patch b/debian/patches/0043-Rate-limit-getstatus-and-rcon-connectionless-request.patch index 383358c..628f85c 100644 --- a/debian/patches/0043-Rate-limit-getstatus-and-rcon-connectionless-request.patch +++ b/debian/patches/0043-Rate-limit-getstatus-and-rcon-connectionless-request.patch @@ -1,9 +1,14 @@ From: Tim Angus <tma> Date: Sun, 3 Jan 2010 22:12:20 +0000 -Subject: [PATCH] * Rate limit getstatus and rcon connectionless requests +Subject: Rate limit getstatus and rcon connectionless requests -Origin: upstream (ioquake3), commit:1762 +[This patch also includes r1763, fixing potential dereference of an +uninitialized pointer if the network address family is neither IPv4 nor +IPv6. -smcv] + +Origin: upstream (ioquake3), commit:1762, commit:1763 Bug-Debian: http://bugs.debian.org/665656 +CVE: CVE-2010-5077 --- code/server/sv_main.c | 217 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 207 insertions(+), 10 deletions(-) @@ -46,8 +51,8 @@ index 6215791..b88cc11 100644 +================ +*/ +static long SVC_HashForAddress( netadr_t address ) { -+ byte *ip; -+ size_t size; ++ byte *ip = NULL; ++ size_t size = 0; + int i; + long hash = 0; + diff --git a/debian/patches/0044-Fix-Sys_Milliseconds-wrapping-causing-the-flood-prot.patch b/debian/patches/0044-Fix-Sys_Milliseconds-wrapping-causing-the-flood-prot.patch new file mode 100644 index 0000000..21ee8d6 --- /dev/null +++ b/debian/patches/0044-Fix-Sys_Milliseconds-wrapping-causing-the-flood-prot.patch @@ -0,0 +1,28 @@ +From: Tim Angus <tma> +Date: Fri, 18 Feb 2011 23:46:02 +0000 +Subject: Fix Sys_Milliseconds wrapping causing the flood protection + code to malfunction and block all traffic (reported by bubu^) + +Origin: upstream (ioquake3), commit:1898 +Bug-Debian: http://bugs.debian.org/665945 +--- + code/server/sv_main.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/engine/code/server/sv_main.c b/engine/code/server/sv_main.c +index 3cb9f4f..01411cb 100644 +--- a/engine/code/server/sv_main.c ++++ b/engine/code/server/sv_main.c +@@ -444,7 +444,8 @@ static leakyBucket_t *SVC_BucketForAddress( netadr_t address, int burst, int per + interval = now - bucket->lastTime; + + // Reclaim expired buckets +- if ( bucket->lastTime > 0 && interval > ( burst * period ) ) { ++ if ( bucket->lastTime > 0 && ( interval > ( burst * period ) || ++ interval < 0 ) ) { + if ( bucket->prev != NULL ) { + bucket->prev->next = bucket->next; + } else { +-- +1.7.9.1 + diff --git a/debian/patches/series b/debian/patches/series index 5e83306..9cbc87b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -36,3 +36,4 @@ 0041-If-a-QVM-starts-with-NTVE-followed-by-a-nonempty-str.patch 0042-G_Damage-check-before-dereferencing-targ-client-whic.patch 0043-Rate-limit-getstatus-and-rcon-connectionless-request.patch +0044-Fix-Sys_Milliseconds-wrapping-causing-the-flood-prot.patch
