OpenArena Message Boards

OpenArena Contributions => Development => Topic started by: Peter Silie on February 08, 2013, 07:31:53 am



Title: Critical Bug in cURL
Post by: Peter Silie on February 08, 2013, 07:31:53 am
Important?
http://curl.haxx.se/docs/adv_20130206.html


Title: Re: Critical Bug in cURL
Post by: Gig on February 08, 2013, 07:46:27 am
I don't know, but I don't see why OpenArena should use POP3, IMAP and SMTP protocols.

But I don't even know if OpenArena uses that libcurl at all... Sago or Fromhell should know a such thing. I don't know... maybe also if POP3, IMAP and SMTP are not effectively used by a program (that uses other parts of libcurl), they may be exploited anyway? I have no idea.


Title: Re: Critical Bug in cURL
Post by: andrewj on February 09, 2013, 03:29:56 am
ioquake3 uses libcurl.

POP3, IMAP and SMTP are all email-related protocols -- I'm pretty sure ioquake3 does not use them and hence it (and OpenArena) are not affected by this vulnerability.



Title: Re: Critical Bug in cURL
Post by: Peter Silie on February 10, 2013, 04:02:02 am
As far as i had understand this bug, it is a problem of the request.
So if the client request a pop3 action, you get the problem.

But maybe i am just wrong...


Title: Re: Critical Bug in cURL
Post by: sago007 on February 10, 2013, 02:53:17 pm
The vulnerability is not present in curl versions before 7.26.0.
I believe the windows version of ioqauke3-engine uses 7.15.5. Although that is very hard to see for certain.

The Linux version of the engine uses the curl version from the OS. It will likely be patched already.

If someones sees a server with sv_dlURL set to "smtp:SOMETHING", it may be an attempt to exploit an affected client.