Control: retitle -1 CVE-2017-11721: read buffer overflow in MSG_ReadBits Control: tags -1 + upstream fixed-upstream patch Control: forwarded -1 https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1
On Fri, 04 Aug 2017 at 16:30:46 +0200, Moritz Muehlenhoff wrote: > Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11721 I have fixed this in unstable with a newer upstream snapshot. I suspect that the bug is also present in all older suites, but I have not had time to research that. Any suite where the upstream commit cherry-picks successfully is probably vulnerable. I am travelling (to Debconf) and finishing writing a talk, so I will be unable to address this in older suites for now. If someone from the security or games team wants to prepare and upload a backport of the commit referenced by MITRE, please go ahead. From the commit message and a quick read through the code, my understanding is that only the MSG_ReadBits side is security-sensitive, with the MSG_WriteBits side being merely for correctness (the buffer overflow check is too pessimistic and will sometimes report an overflow when there are in fact a few bytes left); but I could be wrong, and taking the entire commit is probably the safer option. The debian/stretch and debian/jessie branches in https://anonscm.debian.org/git/pkg-games/ioquake3.git should be up to date, and that git repository also contains the upstream commit d2b1d124d4055c2fcbe5126863487c52fd58cca1. Otherwise, I'll come back to this after I've given my my talk at Debconf, assuming I can recruit someone running stable to smoke-test the new version. Thanks, S
