Critical Bug in cURL

Welcome, Guest. Please login or register.

News: Future of OA

Registration is temporarily closed.

This is the official OpenArena site for the game content. We have nothing to do with other versions (mobile, etc).

OpenArena Message Boards > OpenArena Contributions > Development > Critical Bug in cURL

Pages: [1]

« previous next »

Author

Topic: Critical Bug in cURL (Read 8707 times)

Peter Silie

Member

Cakes 2008
Posts: 610

Critical Bug in cURL

« on: February 08, 2013, 07:31:53 AM »

Important?
http://curl.haxx.se/docs/adv_20130206.html


	Logged

Gig

In the year 3000

Cakes 45
Posts: 4394

Re: Critical Bug in cURL

« Reply #1 on: February 08, 2013, 07:46:27 AM »

I don't know, but I don't see why OpenArena should use POP3, IMAP and SMTP protocols.

But I don't even know if OpenArena uses that libcurl at all... Sago or Fromhell should know a such thing. I don't know... maybe also if POP3, IMAP and SMTP are not effectively used by a program (that uses other parts of libcurl), they may be exploited anyway? I have no idea.


	Logged

I never want to be aggressive, offensive or ironic with my posts. If you find something offending in my posts, read them again searching for a different mood there. If you still see something bad with them, please ask me infos. I can be wrong at times, but I never want to upset anyone.

andrewj

Member

Cakes 24
Posts: 584

Re: Critical Bug in cURL

« Reply #2 on: February 09, 2013, 03:29:56 AM »

ioquake3 uses libcurl.

POP3, IMAP and SMTP are all email-related protocols -- I'm pretty sure ioquake3 does not use them and hence it (and OpenArena) are not affected by this vulnerability.


« Last Edit: February 09, 2013, 03:32:24 AM by andrewj »	Logged

Peter Silie

Member

Cakes 2008
Posts: 610

Re: Critical Bug in cURL

« Reply #3 on: February 10, 2013, 04:02:02 AM »

As far as i had understand this bug, it is a problem of the request.
So if the client request a pop3 action, you get the problem.

But maybe i am just wrong...


	Logged

sago007

Posts a lot

Cakes 62
Posts: 1664

Open Arena Developer

Re: Critical Bug in cURL

« Reply #4 on: February 10, 2013, 02:53:17 PM »

The vulnerability is not present in curl versions before 7.26.0.
I believe the windows version of ioqauke3-engine uses 7.15.5. Although that is very hard to see for certain.

The Linux version of the engine uses the curl version from the OS. It will likely be patched already.

If someones sees a server with sv_dlURL set to "smtp:SOMETHING", it may be an attempt to exploit an affected client.


	Logged

There are nothing offending in my posts.

Pages: [1]

« previous next »

Jump to: