is CVE-2004-0608 fixed with recent 469 patches ?

[twolife]

Hi, For a very very long time, CVE-2004-0608 has never been considered fixed for UT99 because the latest patch (451b) was vulnerable. In the ReleaseNotes of 469* we can read that you "Fixed several arbitrary code execution vulnerabilities." Does that include that old security issue from 2004 ? Whatever if it is indeed fixed or not, could you please add a note about that CVE in the ReleaseNote, so that no doubt exist anymore about it ? Thank you very much for your work on UT !

[SeriousBuggie]

I am sure all kind of such issues be fixed in v469a. Also CVE info pretty precise as for now -

Unreal Tournament 451b and earlier

There no mention about 469. I understand it out before 469 appear, but it fit to current situation.

[an-eternity]

Wonder if that entire secure query part has been written by GameSpy and then of course not verified by Epic... GameSpy had a lot of exploits in their software, including those GameSpy-related parts integrated in game clients...

[an-eternity]

Problem is with Validate native function in IpDrv. Has it actually been fixed in the native part of v469c? At least, i don't see v469c has any UnrealScript based workarounds Luigi Auriemma suggested, though it is quite easy for server admins to add some in their custom ServerQuery mods at any time.

[stijn-volckaert]

UTPG fixed this in the 467 patch, so yes, this should be fixed