Debian Bug report logs - #617960
widelands: potential security issue in internet games

version graph

Package: widelands; Maintainer for widelands is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for widelands is src:widelands.

Reported by: Ansgar Burchardt <ansgar@2008.43-1.org>

Date: Sat, 12 Mar 2011 21:27:02 UTC

Severity: grave

Tags: security, upstream

Found in version widelands/1:15-2

Fixed in versions widelands/1:15-3, widelands/1:15-3squeeze1

Done: Enrico Tassi <gareuselesinge@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Martin Quinson <mquinson@debian.org>:
Bug#617960; Package widelands. (Sat, 12 Mar 2011 21:27:05 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@2008.43-1.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: widelands: potential security issue in internet games
Date: Sat, 12 Mar 2011 22:23:42 +0100
Package: widelands
Version: 1:15-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

there is a fix[1] for a potential security issue in internet games
available upstream.  It looks like this might allow overwriting
arbitrary files as the user, but I have not done any verification.

Regards,
Ansgar

[1] <http://bazaar.launchpad.net/~widelands-dev/widelands/build-15/revision/5021>




Reply sent to Enrico Tassi <gareuselesinge@debian.org>:
You have taken responsibility. (Wed, 23 Mar 2011 23:09:07 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@2008.43-1.org>:
Bug acknowledged by developer. (Wed, 23 Mar 2011 23:09:07 GMT) Full text and rfc822 format available.

Message #8 received at 617960-close@bugs.debian.org (full text, mbox):

From: Enrico Tassi <gareuselesinge@debian.org>
To: 617960-close@bugs.debian.org
Subject: Bug#617960: fixed in widelands 1:15-3
Date: Wed, 23 Mar 2011 23:06:25 +0000
Source: widelands
Source-Version: 1:15-3

We believe that the bug you reported is fixed in the latest version of
widelands, which is due to be installed in the Debian FTP archive:

widelands-data_15-3_all.deb
  to main/w/widelands/widelands-data_15-3_all.deb
widelands-dbg_15-3_amd64.deb
  to main/w/widelands/widelands-dbg_15-3_amd64.deb
widelands_15-3.debian.tar.gz
  to main/w/widelands/widelands_15-3.debian.tar.gz
widelands_15-3.dsc
  to main/w/widelands/widelands_15-3.dsc
widelands_15-3_amd64.deb
  to main/w/widelands/widelands_15-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 617960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Enrico Tassi <gareuselesinge@debian.org> (supplier of updated widelands package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 23 Mar 2011 09:47:28 +0100
Source: widelands
Binary: widelands widelands-data widelands-dbg
Architecture: source amd64 all
Version: 1:15-3
Distribution: unstable
Urgency: high
Maintainer: Martin Quinson <mquinson@debian.org>
Changed-By: Enrico Tassi <gareuselesinge@debian.org>
Description: 
 widelands  - fantasy real-time strategy game
 widelands-data - fantasy real-time strategy game (data files)
 widelands-dbg - fantasy real-time strategy game (debug cruft)
Closes: 617960
Changes: 
 widelands (1:15-3) unstable; urgency=high
 .
   * Closes a potential security issue in internet games.
     Added: patches/secfix-617960 (Closes: #617960)
Checksums-Sha1: 
 16e5b194a5e038ecdb3d8a09cf3e14c08ca8fb25 1548 widelands_15-3.dsc
 93c5935fdbf930c18c6b01a05394651b45cc4b64 14331 widelands_15-3.debian.tar.gz
 408e46308480177b8209ab1f6476b673bb5c6171 1807570 widelands_15-3_amd64.deb
 6fa21bf94558a487e1e6afd017aef8fdea7c1c98 108770694 widelands-data_15-3_all.deb
 54e225fe4859422a8d257d462ee0b2cec0ad566d 21008716 widelands-dbg_15-3_amd64.deb
Checksums-Sha256: 
 8210eba2cf082ebb2f9497e3cdfa706f4651038075818c3ea3b8cdb3c0fb7c36 1548 widelands_15-3.dsc
 b78d4cc661660295753d89e92bebaee977c791ff47e7784f1edee81e79eabe20 14331 widelands_15-3.debian.tar.gz
 80cc3e4d2fdd63c28670b3e2ca2e7fee62443a7c13dc410e6f98176f56fbdee1 1807570 widelands_15-3_amd64.deb
 6e85cee76251847d05d67743841e222d301ad2c90639cee2ad15b0ddd5807c1a 108770694 widelands-data_15-3_all.deb
 2c0cdcfa8da52a22cd211e21fa2342a05042d4b9d067764a5473705cda89d1f6 21008716 widelands-dbg_15-3_amd64.deb
Files: 
 6cccb3993b769cd48d2b5a3e9bb5d260 1548 games extra widelands_15-3.dsc
 41c8e1599ffdb7f83ceca4d4d0a441b5 14331 games extra widelands_15-3.debian.tar.gz
 f592d45b1ad26472289332f6125f6df0 1807570 games extra widelands_15-3_amd64.deb
 615ed35bcf56123ce90f2c1b75817a83 108770694 games extra widelands-data_15-3_all.deb
 eb2006da70a3bcdf93a7be3e2f425f41 21008716 debug extra widelands-dbg_15-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2J3L4ACgkQ7kkcPgEj8vIp7QCcDflLkKhcA/6aGuHA1bDOotbn
u0sAoKr/1baiISmLfbd2B2kisFpI3EG+
=78er
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Martin Quinson <mquinson@debian.org>:
Bug#617960; Package widelands. (Sat, 26 Mar 2011 23:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Martin Quinson <mquinson@debian.org>. (Sat, 26 Mar 2011 23:45:06 GMT) Full text and rfc822 format available.

Message #13 received at 617960@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 617960@bugs.debian.org
Cc: gareuselesinge@debian.org
Subject: Re: Bug#617960 closed by Enrico Tassi <gareuselesinge@debian.org> (Bug#617960: fixed in widelands 1:15-3)
Date: Sat, 26 Mar 2011 23:42:12 +0000
[Message part 1 (text/plain, inline)]
Dear maintainer,

Recently you fixed one or more security problems as identified in the subject.
These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.2)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

Alternatively, if the suite is not affected by this problem please tell
me and I will update our tracker.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Martin Quinson <mquinson@debian.org>:
Bug#617960; Package widelands. (Fri, 01 Apr 2011 21:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to <debian@desserud.org>:
Extra info received and forwarded to list. Copy sent to Martin Quinson <mquinson@debian.org>. (Fri, 01 Apr 2011 21:48:02 GMT) Full text and rfc822 format available.

Message #18 received at 617960@bugs.debian.org (full text, mbox):

From: <debian@desserud.org>
To: 617960@bugs.debian.org
Subject: Patch update
Date: Fri, 01 Apr 2011 22:33:45 +0200
I have to admit I haven't looked closely at the new package in Debian, so this might not (hopefully) be relevant. However, please note that the initial patch contained a bug which made it impossible to play multiplayer games. This was fixed in the following commits, and it should probably be applied in addition to the original patch:

Commit for build15 : http://bazaar.launchpad.net/~widelands-dev/widelands/build-15/revision/5022/
The same commit in trunk (with a bit better description) : http://bazaar.launchpad.net/~widelands-dev/widelands/trunk/revision/5887

Best regards,
Hans Joachim Desserud




Reply sent to Enrico Tassi <gareuselesinge@debian.org>:
You have taken responsibility. (Wed, 20 Apr 2011 02:04:01 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@2008.43-1.org>:
Bug acknowledged by developer. (Wed, 20 Apr 2011 02:04:01 GMT) Full text and rfc822 format available.

Message #23 received at 617960-close@bugs.debian.org (full text, mbox):

From: Enrico Tassi <gareuselesinge@debian.org>
To: 617960-close@bugs.debian.org
Subject: Bug#617960: fixed in widelands 1:15-3squeeze1
Date: Wed, 20 Apr 2011 01:56:22 +0000
Source: widelands
Source-Version: 1:15-3squeeze1

We believe that the bug you reported is fixed in the latest version of
widelands, which is due to be installed in the Debian FTP archive:

widelands-data_15-3squeeze1_all.deb
  to main/w/widelands/widelands-data_15-3squeeze1_all.deb
widelands-dbg_15-3squeeze1_amd64.deb
  to main/w/widelands/widelands-dbg_15-3squeeze1_amd64.deb
widelands_15-3squeeze1.debian.tar.gz
  to main/w/widelands/widelands_15-3squeeze1.debian.tar.gz
widelands_15-3squeeze1.dsc
  to main/w/widelands/widelands_15-3squeeze1.dsc
widelands_15-3squeeze1_amd64.deb
  to main/w/widelands/widelands_15-3squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 617960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Enrico Tassi <gareuselesinge@debian.org> (supplier of updated widelands package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Apr 2011 14:35:07 +0200
Source: widelands
Binary: widelands widelands-data widelands-dbg
Architecture: source amd64 all
Version: 1:15-3squeeze1
Distribution: stable
Urgency: high
Maintainer: Martin Quinson <mquinson@debian.org>
Changed-By: Enrico Tassi <gareuselesinge@debian.org>
Description: 
 widelands  - fantasy real-time strategy game
 widelands-data - fantasy real-time strategy game (data files)
 widelands-dbg - fantasy real-time strategy game (debug cruft)
Closes: 617960
Changes: 
 widelands (1:15-3squeeze1) stable; urgency=high
 .
   * Closes a potential security issue in internet games.
     Added: patches/secfix-617960 (Closes: #617960)
Checksums-Sha1: 
 0ac995704bf6d96aa20d5e7f4e259223f3ede86b 1580 widelands_15-3squeeze1.dsc
 25e5d2af05c03d83cd20fa0ea2df42de270d87b3 14326 widelands_15-3squeeze1.debian.tar.gz
 8dc7ab6776a560bd9e5701de316d4a356dfdf933 1868704 widelands_15-3squeeze1_amd64.deb
 492e25e4014e0e77e0257015eab6c5c5eb705286 108770746 widelands-data_15-3squeeze1_all.deb
 2335a8e6405f90e6520458928da9a6e98632cfb2 16639872 widelands-dbg_15-3squeeze1_amd64.deb
Checksums-Sha256: 
 7c6983a0f485ab1f29d3863659cc744da09c8b4d2609a233fb47bebf330302af 1580 widelands_15-3squeeze1.dsc
 1e4e7c9acfeb58191d366954e743c64c1b015ac34c60ee0c38a42a4e44471b6b 14326 widelands_15-3squeeze1.debian.tar.gz
 d33b1f0dc5e90a17127c10e650e07f155d6b8fd0e7bc525dc90287673dae56cf 1868704 widelands_15-3squeeze1_amd64.deb
 75829e891ea06b5ba062407ee198ca5084242951cb60ceb24c6d93be90115503 108770746 widelands-data_15-3squeeze1_all.deb
 6525412c9ee0ae34f22c697dcfa056b855881ff0878e2e49ede31618dd57de1c 16639872 widelands-dbg_15-3squeeze1_amd64.deb
Files: 
 7066fc04baf9d8aca0365752e229cfd8 1580 games extra widelands_15-3squeeze1.dsc
 4812fee028d60a0fb1f945af5676516f 14326 games extra widelands_15-3squeeze1.debian.tar.gz
 29f1a136bc82d855e6fcf148925c004b 1868704 games extra widelands_15-3squeeze1_amd64.deb
 fb939ba6cd93745c120c4d3ea2381310 108770746 games extra widelands-data_15-3squeeze1_all.deb
 6673155550f479eb1b6ba03561765de5 16639872 debug extra widelands-dbg_15-3squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2tkCEACgkQ7kkcPgEj8vLafgCgqX5JuGT8C9QRr8em8B4V9JKa
2q0AnjnxZ73gbB7iRCx0ZPuY6LsAwJZl
=3TSJ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jun 2011 07:36:17 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Mon, 04 Jul 2011 22:15:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 02 Aug 2011 07:35:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:58:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.