CVE-2019-20797

NameCVE-2019-20797
DescriptionAn issue was discovered in e6y prboom-plus 2.5.1.5. There is a buffer overflow in client and server code responsible for handling received UDP packets, as demonstrated by I_SendPacket or I_SendPacketTo in i_network.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs961031

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prboom-plus (PTS)jessie2:2.5.1.4~svn4403+dfsg1-1vulnerable
stretch2:2.5.1.5~svn4462+dfsg1-1vulnerable
buster2:2.5.1.5+svn4539+dfsg1-1vulnerable
bullseye2:2.5.1.5+svn4540+dfsg1-2vulnerable
sid2:2.5.1.7um+git82-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prboom-plussource(unstable)2:2.5.1.7um+git82-1961031
prboom-plussourcejessie(unfixed)end-of-life

Notes

[buster] - prboom-plus <no-dsa> (Minor issue)
[stretch] - prboom-plus <no-dsa> (Minor issue)
[jessie] - prboom-plus <end-of-life> (games are not supported)
https://logicaltrust.net/blog/2019/10/prboom1.html
https://sourceforge.net/p/prboom-plus/bugs/252/
https://sourceforge.net/p/prboom-plus/bugs/253/

Search for package or bug name: Reporting problems