Moritz Muehlenhoff <[EMAIL PROTECTED]> (11/01/2007): > Security databases typically don't investigate very much; they only > provide a quick write-up. Can you please contact upstream?
Sure. Here is a little cut & paste from #alientrap/irc.irule.net:
<KiBi> As a member of the Debian Games Team, I'd like to get some
precisions about CVE-2006-6610
<div0> ok
<KiBi> It is stated about "remote console command injection", but I'd
like to know whether that means game command injection or
arbitrary shell commands
<div0> anyone could inject Quake console commands...
<div0> not shell commands
<div0> the impact is overwriting config files in ~/.nexuiz and DoS
against the server
<div0> it should not be possible to destroy anything else
<KiBi> OK, many thanks.
<div0> and of course manipulation of the server, like changing its host
name or MOTD for propaganda or stuff like that
<KiBi> Sure. Just wanted to know about ``outside impact''.
<div0> so if someone was affected by such an attack, I'd recommend "rm
-rf ~/.nexuiz" and restoring the config directory
> > Since 2.2.1-1 has been in sid for 26 days, I was wondering whether
> > pushing this version into etch would an acceptable fix.
>
> I agree that would be a viable approach. It also features better
> multi-player compatibility.
Shall I ask on debian-release for a hint, with a [security] tag in the
topic or something like that, or something totally different? You can
also contact me on OFTC, nickname: KiBi.
Cheers,
--
Cyril Brulebois
pgpPblImZYVY3.pgp
Description: PGP signature
