Sauerbraten patch January 2018

 

Because of a somewhat urgent security issue, eihrul issued a patch to the latest Sauerbraten: Collect Edition.

Be advised to update your Sauerbraten biaries both for server and client, as soon as possible.

The major client- and server-mods have been notified and are in the process of updating the source.

Here a list of patched binaries, that I know of:
(I will update the list when something changes)

  • Vanilla Sauerbraten
  • WC-ng (safe since 2000 B.C.)
  • remod
  • zeromod

EDIT #1:

Because I got a lot of inquiries about the nature of this issue, I decided to add a short explanation of what this patch is about. Note, I haven’t analyzed shit, nor am I connected to the discovery in any way, so all I can do is Chinese whispers.

It just so happened that, forcing a map with a special formatted name, an attacker would be able to traverse file directories on the client side. This can cause the client to freeze. Furthermore it is suspected, that this attack could lead to remote code execution. If you don’t know what this means, you don’t know how to wikipedia.

What this means for you as a player is best done using eihrul’s words from the comments below.

IF YOU STILL THINK ABOUT WHETHER YOU SHOULD PATCH YOUR SAUER OR NOT, ALL HOPE IS LOST.

 

Here some useful links, including a patch for those who don’t want to download the full package:

 

Vanilla Sauerbraten Downloads:
http://sourceforge.net/projects/sauerbraten/files/sauerbraten/2013_01_04/sauerbraten_2013_04_04_collect_edition_linux.tar.bz2/download
http://sourceforge.net/projects/sauerbraten/files/sauerbraten/2013_01_04/patch_01_04_to_04_04.zip/download
http://sourceforge.net/projects/sauerbraten/files/sauerbraten/2013_01_04/sauerbraten_2013_04_04_collect_edition_windows.exe/download

Sauerworld Resources page (for downloading mods):
http://www.sauerworld.org/resources/

Commits for modders:
https://sourceforge.net/p/sauerbraten/code/5380/
https://sourceforge.net/p/sauerbraten/code/5379/

 

10 Comments

  1. eihrul

    Some extra detail:

    If you play only on servers with a locked map rotation, you are safe on that server.
    But if you play on a server where a player can vote for any map name he wants, then you are vulnerable.
    If the server itself has been patched to filter mapvotes, then you’re safe on that server.
    But overall, best to use a patched client so that you will not be affected regardless of what server you play on.

    Reply
  2. h8

    so i just copy-paste the thing in sauer main installation folder?
    will it mess up my comed?
    do i need to back up something first before doing this?

    Reply
  3. cs4

    sheeplesssss xDDDD so Rigatoni was affected as well ? ahaha

    now I am more confident wasnt freezing for some in-explainable reason …
    (i had more than 4 occasions of having the freeze-screen-locked-condition .. two weeks back but didn’t think much of it then…

    it also allows random client renaming — if i am not mistaken.
    and glitches so that ppl are disconnected/ timed-out

    )

    lol thanks for the ** patch[es] **

    i knew my client was acting strange.

    This time it wasn’t the NSA (ahaha)

    Reply

Leave a Reply

Your email address will not be published.