Update Info


Security update for teeworlds

Type: security
Severity: moderate
Issued: 2019-08-24
This update for teeworlds fixes the following issues:

- CVE-2019-10879: An integer overflow in CDataFileReader::Open() could have lead to a buffer overflow and possibly remote code execution, because size-related multiplications were mishandled. (boo#1131729)
- CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions could have lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution.
- CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a buffer overflow, because multiplication of width and height were mishandled.
- CVE-2018-18541: Connection packets could have been forged. There was no challenge-response involved in the connection build up. A remote attacker could have sent connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets. (boo#1112910)

- Update to version
  * Colorful gametype and level icons in the browser instead of
  * Add an option to use raw mouse inputs, revert to (0.6) relative
    mode by default.
  * Demo list marker indicator.
  * Restore ingame Player and Tee menus, add a warning that a
    reconnect is needed.
  * Emotes can now be cancelled by releasing the mouse in the
    middle of the circle.
  * Improve add friend text.
  * Add a confirmation for removing a filter
  * Add a "click a player to follow" hint
  * Also hint players which key they should press to set themselves
  * fixed using correct array measurements when placing egg doodads
  * fixed demo recorder downloaded maps using the sha256 hash
  * show correct game release version in the start menu and console
  * Fix platform-specific client libraries for Linux
  * advanced scoreboard with game statistics
  * joystick support (experimental!)
  * copy paste (one-way)
  * bot cosmetics (a visual difference between players and NPCs)
  * chat commands (type / in chat)
  * players can change skin without leaving the server (again)
  * live automapper and complete rules for 0.7 tilesets
  * audio toggling HUD
  * an Easter surprise...
  * new gametypes: "last man standing" (LMS) and "last team standing"
    (LTS). survive by your own or as a team with limited weaponry
  * 64 players support. official gametypes are still restricted to 16
    players maximum but allow more spectators
  * new skin system. build your own skins based on a variety of
    provided parts
  * enhanced security. all communications require a handshake and use
    a token to counter spoofing and reflection attacks
  * new maps: ctf8, dm3, lms1. Click to discover them!
  * animated background menu map: jungle, heavens (day/night themes,
    customisable in the map editor)
  * new design for the menus: added start menus, reworked server
    browser, settings
  * customisable gametype icons (browser). make your own!
  * chat overhaul, whispers (private messages)
  * composed binds (ctrl+, shift+, alt+)
  * scoreboard remodelled, now shows kills/deaths
  * demo markers
  * master server list cache (in case the masters are unreachable)
  * input separated from rendering (optimisation)
  * upgrade to SDL2. support for multiple monitors, non-english
    keyboards, and more
  * broadcasts overhaul, optional colours support
  * ready system, for competitive settings
  * server difficulty setting (casual, competitive, normal), shown in
    the browser
  * spectator mode improvements: follow flags, click on players
  * bot flags for modified servers: indicate NPCs, can be filtered out
    in the server browser
  * sharper graphics all around (no more tileset_borderfix and dilate)
  * refreshed the HUD, ninja cooldown, new mouse cursor
  * mapres update (higher resolution, fixes...)

This update was imported from the openSUSE:Leap:15.1:Update update project.



  • teeworlds-