blob: bb0d63f99162be1731a92370a51e6790d233f57c [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200901-06">
<title>Tremulous: User-assisted execution of arbitrary code</title>
A buffer overflow vulnerability has been discovered in Tremulous.
<product type="ebuild">tremulous tremulous-bin</product>
<announced>January 11, 2009</announced>
<revised>January 11, 2009: 01</revised>
<package name="games-fps/tremulous" auto="yes" arch="*">
<unaffected range="ge">1.1.0-r2</unaffected>
<vulnerable range="lt">1.1.0-r2</vulnerable>
<package name="games-fps/tremulous-bin" auto="yes" arch="*">
<vulnerable range="lt">1.1.0</vulnerable>
Tremulous is a team-based First Person Shooter game.
It has been reported that Tremulous includes a vulnerable version of
the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236).
<impact type="normal">
A remote attacker could entice a user to connect to a malicious games
server, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application.
There is no known workaround at this time.
Tremulous users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=games-fps/tremulous-1.1.0-r2&quot;</code>
Note: The binary version of Tremulous has been removed from the Portage
<uri link="">CVE-2006-2236</uri>
<uri link="/security/en/glsa/glsa-200605-12.xml">GLSA 200605-12</uri>
<metadata tag="requester" timestamp="Mon, 13 Oct 2008 16:40:23 +0000">
<metadata tag="submitter" timestamp="Sat, 10 Jan 2009 22:54:22 +0000">
<metadata tag="bugReady" timestamp="Sat, 10 Jan 2009 22:54:33 +0000">