125647 2006-03-09 14:25 0000 games-action/bzflag - server can be crashed remotely 2006-03-26 09:26:46 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://aluigi.altervista.org/adv/bzflagboom-adv.txt B3 [noglsa] jaervosz P2 minor --- 1 carlo@gentoo.org security@gentoo.org bensberg@justemail.net games@gentoo.org carlo@gentoo.org 2006-03-09 14:25:21 0000 The callsigns used by the clients are not checked or re-delimited by the server so is possible for a client to pass a callsign with no NULL bytes at its end causing problems (crash) to the server during the handling of this string. On both Linux and Windows for x86 (using the precompiled packages) I have reached the server crash without problems but is possible that in some configurations the crash could happen after many tries or also never, depending by how the memory is handled on that platform. The bug can be exploited also versus password protected servers without knowing the right keyword. http://aluigi.altervista.org/adv/bzflagboom-adv.txt koon@gentoo.org 2006-03-11 03:25:07 0000 One more on games team plate. Too bad Luigi decided to do more auditing on games servers while our games team is silent :) mr_bones_@gentoo.org 2006-03-11 20:35:27 0000 it's masked. davidgrant@gmail.com 2006-03-12 20:08:07 0000 Can bzflag be split into server and client ebuilds? It sounds like this doesn't affect the client. koon@gentoo.org 2006-03-13 10:30:28 0000 No masking GLSA as this is not a critical security issue. Setting this to enhancement to remember to remove bzflag at some point in the future. Asking to separate between server and client should be done a separate non-security bug, assigend to teh games team. tupone@gentoo.org 2006-03-13 10:38:34 0000 remove? For about a 4 lines patch to apply ? :( I love bzflag bensberg@justemail.net 2006-03-14 11:26:20 0000 At comment #5: which 4-line patch, Tupone? Please attach? tupone@gentoo.org 2006-03-14 11:38:45 0000 Created an attachment (id=82128) bzflag-callsignfix.patch Patch to fix callsign, and others, ... overflow wolf31o2@gentoo.org 2006-03-14 13:47:12 0000 Tupone: feel free to fix the package and unmask it instead, as an actual fix is *always* the preferred solution. tupone@gentoo.org 2006-03-19 13:36:39 0000 Fixed in CVS. Please stabilize bzflag-2.0.4.20050930 tupone@gentoo.org 2006-03-19 13:37:30 0000 I meant to stabilize bzflag-2.0.4.20050930-r1 Sorry tupone@gentoo.org 2006-03-20 12:12:51 0000 security flaw fixed. package unmasked wolf31o2@gentoo.org 2006-03-22 06:42:54 0000 I've marked this stable on x86. metalgod@gentoo.org 2006-03-22 17:19:24 0000 stable on amd64. tupone@gentoo.org 2006-03-22 22:51:50 0000 It was marked stable on ppc I think bug could be closed jaervosz@gentoo.org 2006-03-22 23:25:41 0000 This one is ready for GLSA decision. I tend to vote NO. koon@gentoo.org 2006-03-26 09:26:46 0000 I tend to vote NO too for DoS on game server. Closing, feel free to reopen if you disagree. 82128 2006-03-14 11:38 0000 bzflag-callsignfix.patch bzflag-callsignfix.patch text/plain LS0tIHNyYy9nYW1lL1BsYXllckluZm8uY3h4Lm9yaWdpbmFsCTIwMDYtMDMtMTQgMjA6MzM6NTMu MDAwMDAwMDAwICswMTAwCisrKyBzcmMvZ2FtZS9QbGF5ZXJJbmZvLmN4eAkyMDA2LTAzLTE0IDIw OjM2OjQzLjAwMDAwMDAwMCArMDEwMApAQCAtMTA4LDYgKzEwOCwxMiBAQAogICBidWYgPSBuYm9V bnBhY2tTdHJpbmcoYnVmLCBlbWFpbCwgRW1haWxMZW4pOwogICBidWYgPSBuYm9VbnBhY2tTdHJp bmcoYnVmLCB0b2tlbiwgVG9rZW5MZW4pOwogICBidWYgPSBuYm9VbnBhY2tTdHJpbmcoYnVmLCBj bGllbnRWZXJzaW9uLCBWZXJzaW9uTGVuKTsKKworICAvLyB0ZXJtaW5hdGUgdGhlIHN0cmluZ3MK KyAgY2FsbFNpZ25bQ2FsbFNpZ25MZW4gLSAxXSA9ICdcMCc7CisgIGVtYWlsW0VtYWlsTGVuIC0g MV0gPSAnXDAnOworICB0b2tlbltUb2tlbkxlbiAtIDFdID0gJ1wwJzsKKyAgY2xpZW50VmVyc2lv bltWZXJzaW9uTGVuIC0gMV0gPSAnXDAnOwogICBjbGVhbkVNYWlsKCk7CiAKICAgREVCVUcyKCJQ bGF5ZXIgJXMgWyVkXSBzZW50IHZlcnNpb24gc3RyaW5nOiAlc1xuIiwK