Package: sgt-puzzles Version: 20220801.89391ba-1 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Ben Harris found multiple issues in sgt-puzzles where a malformed game description or save file can lead to integer overflow or buffer overflow. These were fixed upstream today, and I'll upload the changes to unstable shortly. The Debian package doesn't register any media type handler for save files, so I think this can only be exploited by social-engineering a user into loading such a file or description. Ben. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.0.0-6-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sgt-puzzles depends on: ii libc6 2.36-6 ii libcairo2 1.16.0-7 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1 ii libglib2.0-0 2.74.3-1 ii libgtk-3-0 3.24.35-3 ii libpango-1.0-0 1.50.12+ds-1 ii libpangocairo-1.0-0 1.50.12+ds-1 Versions of packages sgt-puzzles recommends: ii chromium [www-browser] 108.0.5359.124-1 ii firefox [www-browser] 108.0-2 ii lynx [www-browser] 2.9.0dev.10-1+b1 ii xdg-utils 1.1.3-4.1 sgt-puzzles suggests no packages. -- debconf-show failed