openSUSE-SU-2019:1999-1

This update for teeworlds fixes the following issues:

• CVE-2019-10879: An integer overflow in CDataFileReader::Open() could have lead to a buffer overflow and possibly remote code execution, because size-related multiplications were mishandled. (boo#1131729)
• CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions could have lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution.
• CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a buffer overflow, because multiplication of width and height were mishandled.

• CVE-2018-18541: Connection packets could have been forged. There was no challenge-response involved in the connection build up. A remote attacker could have sent connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets. (boo#1112910)

• Update to version 0.7.3.1

  • Colorful gametype and level icons in the browser instead of grayscale.
  • Add an option to use raw mouse inputs, revert to (0.6) relative mode by default.
  • Demo list marker indicator.
  • Restore ingame Player and Tee menus, add a warning that a reconnect is needed.
  • Emotes can now be cancelled by releasing the mouse in the middle of the circle.
  • Improve add friend text.
  • Add a confirmation for removing a filter
  • Add a 'click a player to follow' hint
  • Also hint players which key they should press to set themselves ready.
  • fixed using correct array measurements when placing egg doodads
  • fixed demo recorder downloaded maps using the sha256 hash
  • show correct game release version in the start menu and console
  • Fix platform-specific client libraries for Linux
  • advanced scoreboard with game statistics
  • joystick support (experimental!)
  • copy paste (one-way)
  • bot cosmetics (a visual difference between players and NPCs)
  • chat commands (type / in chat)
  • players can change skin without leaving the server (again)
  • live automapper and complete rules for 0.7 tilesets
  • audio toggling HUD
  • an Easter surprise...
  • new gametypes: 'last man standing' (LMS) and 'last team standing' (LTS). survive by your own or as a team with limited weaponry
  • 64 players support. official gametypes are still restricted to 16 players maximum but allow more spectators
  • new skin system. build your own skins based on a variety of provided parts
  • enhanced security. all communications require a handshake and use a token to counter spoofing and reflection attacks
  • new maps: ctf8, dm3, lms1. Click to discover them!
  • animated background menu map: jungle, heavens (day/night themes, customisable in the map editor)
  • new design for the menus: added start menus, reworked server browser, settings
  • customisable gametype icons (browser). make your own!
  • chat overhaul, whispers (private messages)
  • composed binds (ctrl+, shift+, alt+)
  • scoreboard remodelled, now shows kills/deaths
  • demo markers
  • master server list cache (in case the masters are unreachable)
  • input separated from rendering (optimisation)
  • upgrade to SDL2. support for multiple monitors, non-english keyboards, and more
  • broadcasts overhaul, optional colours support
  • ready system, for competitive settings
  • server difficulty setting (casual, competitive, normal), shown in the browser
  • spectator mode improvements: follow flags, click on players
  • bot flags for modified servers: indicate NPCs, can be filtered out in the server browser
  • sharper graphics all around (no more tileset_borderfix and dilate)
  • refreshed the HUD, ninja cooldown, new mouse cursor
  • mapres update (higher resolution, fixes...)

This update was imported from the openSUSE:Leap:15.1:Update update project.