This bug was fixed in the package redeclipse - 1.2-2ubuntu0.1
---------------
redeclipse (1.2-2ubuntu0.1) precise-security; urgency=low
* SECURITY UPDATE:
Game maps can in cube2-engine games be transmitted either from server
to client or from client to client, which includes a config file
(mapname.cfg) which is in "cubescript" format, this makes it possible
for an attacker to send a malign script via a new map (which must be
chosen by admin on a server, or created in cooperative editing mode). A
script like this could trivially read/write to any files which the user
running the client has access to (it is executed when the client loads
the map). (LP: #1034148)
- Add debian/patches/security-text-command-fix.patch
This patch stops "textedit" commands being able to be run in map-run
scripts, thus disabling the ability to read/write to user files.
-- Martin Erik Werner <[email protected]> Thu, 02 Aug 2012 15:01:30
+0200
** Changed in: redeclipse (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1034148
Title:
redeclipse: security issues with transmitted map cfgs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/redeclipse/+bug/1034148/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
