44351 2004-03-11 05:50 0000 games-fps/unreal engine vulnerability 2007-11-05 21:35:24 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All CLOSED CANTFIX B2 [upstream+ masked] condordes P1 enhancement --- 1 carlo@gentoo.org security@gentoo.org aragorn@elessar.trix.net brebs@sent.com chewi@aura-online.co.uk condordes@gentoo.org denilsonsa@gmail.com games@gentoo.org GNUtoo@no-log.org omes@omes.org spamgoeshere@bardak.de carlo@gentoo.org 2004-03-11 05:50:04 0000 http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 Description: The problem is a format string bug in the Classes management. Each time a client connects to a server it sends the names of the objects it uses (called classes). If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server. Affected ebuilds: UT2003, America's Army, ... (maybe more, i'm not a game freak) vapier@gentoo.org 2004-03-11 09:25:41 0000 i'm not 100% sure but i believe UT-451 and UT:GOTY-451 are not affected the post-436 versions of UT are maintained by this group: http://utpg.org/ their news page talks about 'Fix for Player Login Crash Bug' (dated Jul-16-03) the 451 have these fixes carlo@gentoo.org 2004-03-11 09:51:22 0000 No idea SpanKY - from the linked bugtraq msg: >About UT and UT2003: >EpicGames refused to release a quick-fix for UnrealTournament and >UnrealTournament 2003 so the fix was inserted in the planned patch >as they do for graphic bugs and other small problems... the patch has >not been released yet and is impossible to know when it will be ready. wolf31o2@gentoo.org 2004-03-11 10:43:27 0000 I am looking into this and will hopefully have a solution some time soon. However, given Epic's take on such things, I doubt we will see any form of fix until they release their next round of patches. cshields@gmail.com 2004-03-30 20:38:13 0000 Is there any word on Epic IRT this?? Thanks! -C wolf31o2@gentoo.org 2004-03-31 04:09:15 0000 Epic? Security fix? Surely you jest! Epic doesn't release "hot fixes" of any kind, so we have to wait until the next full patch before this will get fixed. solar@gentoo.org 2004-03-31 07:00:19 0000 Wow. This is kinda a serious problem with QA. Exploitable packages should not be in the portage tree. If no fix exists then It should be masked. But I/we know that masking games might not fly. But reading .. "About UT and UT2003: EpicGames refused to release a quick-fix for UnrealTournament and UnrealTournament 2003 so the fix was inserted in the planned patch as they do for graphic bugs and other small problems... the patch has not been released yet and is impossible to know when it will be ready." klieber@gentoo.org 2004-03-31 07:30:28 0000 Because this bug allows arbitrary remote code execution, I consider it a fairly serious issue. Consequently, the security team intends to hard mask any affected packages on or after 0600 on Wednesday. comments/concerns should be posted to the thread on gentoo-core and/or here. --kurt klieber@gentoo.org 2004-03-31 07:32:19 0000 errr....make that 0600 on Thursday... klieber@gentoo.org 2004-03-31 23:51:30 0000 The following packages are expected to be masked because of this: games-fps/unreal games-fps/unreal-tournament games-fps/unreal-tournament-goty games-fps/unreal-tournament-infiltration games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks games-fps/ut2003-bonuspack-epic games-fps/ut2003 games-fps/ut2003-demo games-server/ut2003-ded games-fps/americas-army Some of these packages may not be directly affected, but depend on other packages that are, so masking them as well limits the tree breakage. If we determine that some/all of these games are, in fact, not vulnerable to the reported bug, we can unmask them individually as necessary. klieber@gentoo.org 2004-03-31 23:54:38 0000 after looking at the site Mike posted above, we may be able to avoid masking: games-fps/unreal-tournament games-fps/unreal-tournament-goty games-fps/unreal-tournament-infiltration games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks Not sure about games-fps/unreal, however. vapier@gentoo.org 2004-04-01 00:01:26 0000 there are a few parts to unreal ... (1) it can only use the UT libraries from 436 atm ... 451 crashes it (2) it's a single player game and although it is possible to host a server with it, i dont know of anyone who would do so for the internet ... it's only compatible with the same setup (linux unreal binary built on top of UT 436 libraries) ... in other words, Windows Unreal and UT (on any OS) is not compatible klieber@gentoo.org 2004-04-01 00:04:04 0000 From the utpg.org home page news item: -------------------------------------------------------- Fix for Player Login Crash Bug UT General :: Jul-16-03 From UnrealAdmin.org, here is a fix for the player login crash bug. This will be incorporated into the next patch as well: All admins are advised to open their Core.int files and modify the following entry: LoadClassMismatch=%s is not a child class of %s.%s Change it to read: LoadClassMismatch=%s is not a child class of %s. This will prevent malicious clients from crashing your server by specifying an invalid player class when logging in. This fix should only be applied to Unreal Tournament servers, and you should restart your server after modifying the Core.int file in order to apply the changes. -------------------------------------------------------- That does not appear to be a fix for the issue reported in this bug: "If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server." As such, recommending we hard mask all packages for now until we have enough time to test/validate vulnerability. klieber@gentoo.org 2004-04-01 00:40:48 0000 Discussed with Mike on IRC. Masking packages for now until we have more time to test. Pointed Mike to the POC at http://aluigi.altervista.org/poc/unrfs-poc.zip. He will test on Thurs. wolf31o2@gentoo.org 2004-04-01 19:59:29 0000 ut2003, ut2003-bonuspack-epic, ut2003-ded, ut2003-demo, and americas-army have been fixed. koon@gentoo.org 2004-04-07 08:27:15 0000 Maybe we should issue a "Temporary" GLSA with the partial fix and reasons why the other packages are masked ? vapier@gentoo.org 2004-04-07 19:20:50 0000 just tested ut-451 and it is not fixed utpg.org has released 451b to 'Fixed a couple of bugs that caused the client and server to crash when invalid classes are loaded' however, they've only released for windows ... i e-mailed them asking about the linux version vapier@gentoo.org 2004-04-09 23:18:12 0000 utpg got back to me and they said they're working on 451b for linux and it should 'be out shortly' ... we could wait for them before issuing a GLSA as i think it's the only game that'll be addressed in the near future ... koon@gentoo.org 2004-04-23 08:00:53 0000 Still no sign of 451B for Linux on utpg.org. I think we should release a GLSA, unless someone has inside contacts with utpg defining what they mean by "shortly". -K koon@gentoo.org 2004-05-07 03:35:39 0000 Reemailed UTPG team to ask for Linux patch availability dates koon@gentoo.org 2004-06-05 03:35:32 0000 Status update (masked ebuilds) wolf31o2@gentoo.org 2004-06-26 09:45:36 0000 There is a 451b of UTPG now... perhaps we should revisit this now? wolf31o2@gentoo.org 2004-06-26 09:51:15 0000 Nevermind... I see now that it is the Windows version... perhaps I should read better before posting... koon@gentoo.org 2004-09-13 01:30:24 0000 CondorDes: It's now assigned to you -- please check now and then if UTPG finally released that 451B patch for Linux : http://utpg.org/ klieber@gentoo.org 2004-10-22 09:16:19 0000 no updates on this bug in forever -- site hasn't been updated since before that. packages are hard-masked. assuming this is a bug upstream doesn't plan to fix. closing as cantfix. we can re-open if/when upstream fixes. GNUtoo@no-log.org 2006-02-11 03:22:42 0000 too bad is there any way to fix this security bug OUTSIDE unreal??? without sandboxing unreal??? such as tcp-ip filtering??? wolf31o2@gentoo.org 2006-02-11 12:27:35 0000 No. The only solution is to not run a server. games-fps/unreal games-fps/unreal-tournament games-fps/unreal-tournament-goty These are still vulnerable (and masked) because of this and we don't ever expect there to be a proper fix for them. GNUtoo@no-log.org 2006-02-12 12:53:14 0000 (In reply to comment #26) > No. > > The only solution is to not run a server. > > games-fps/unreal > games-fps/unreal-tournament > games-fps/unreal-tournament-goty > > These are still vulnerable (and masked) because of this and we don't ever > expect there to be a proper fix for them. > so this is only for a SERVER? if i run unreal and i conect to a server i have no risk at all?(with this bug) that is great...i haven't understood this that way so if i don't serve a game and sandbox the server app(i've a working uml) i'll be able to play this game... thank a lot