98922 2005-07-13 14:17 0000 games-strategy/netpanzer: Denial of Service because of an endless loop 2009-04-23 17:10:15 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://aluigi.altervista.org/adv/panzone-adv.txt B3 [noglsa] DerCorny P2 normal --- 1 dercorny@gentoo.org security@gentoo.org games@gentoo.org dercorny@gentoo.org 2005-07-13 14:17:10 0000 Copied from adivsory: The network code doesn't verify the correctness of the 16 bit number containing the size of the entire data block received from the network. If an attacker sends the number 0x0000 (the minimum should be 0x0002) the game enters in an endless loop and nobody can play. PoC: http://aluigi.altervista.org/poc/panzone.zip Fix in SVN: http://developer.berlios.de/svn/?group_id=1250 dercorny@gentoo.org 2005-07-13 14:18:35 0000 Games herd, please provide a patched ebuild. thanks. vapier@gentoo.org 2005-07-13 19:23:51 0000 Created an attachment (id=63354) netpanzer-0.8-min-size-check.patch upstream svn rewrote the network code completely and it's incompatible with the 0.8 release :/ going by the useful technical info in the advisory, ive created a small fix against 0.8 which seems to fix the issue ... that is, i was able to make netpanzer eat up 100% cpu w/out the patch but not w/the patch vapier@gentoo.org 2005-07-13 19:24:30 0000 so 0.8-r1 is now in portage and amd64/x86 stable (which are the only arches which had a stable version < 0.8-r1) jaervosz@gentoo.org 2005-07-13 22:30:16 0000 This one is ready for GLSA decision. I vote NO. dercorny@gentoo.org 2005-07-13 22:42:51 0000 I'm voting no, too. Closing bug, reopen if my vote doesn't count since i'm only on probation. 63354 2005-07-13 19:23 0000 netpanzer-0.8-min-size-check.patch netpanzer-0.8-min-size-check.patch text/plain VGhlIHNpemUgbmVlZHMgdG8gYmUgYXQgbGVhc3QgMiBvciB0aGUgY29kZSBnZXRzIGh1bmcgdXAu CgpodHRwOi8vYnVncy5nZW50b28ub3JnLzk4OTIyCgotLS0gc3JjL05ldFBhbnplci9OZXR3b3Jr L1NlcnZlclNvY2tldC5jcHAKKysrIHNyYy9OZXRQYW56ZXIvTmV0d29yay9TZXJ2ZXJTb2NrZXQu Y3BwCkBAIC0xNjksNyArMTY5LDcgQEAKIAogICAgICAgICAgICAgc2l6ZSA9IGh0b2wxNigqKChp bnQxNl90KikgdGVtcGJ1ZmZlcikpOwogCi0gICAgICAgICAgICBpZiAoIChzaXplIDwgMCkgfHwg KHNpemUgPiBfTUFYX05FVF9QQUNLRVRfU0laRSkgKSB7CisgICAgICAgICAgICBpZiAoIChzaXpl IDwgMikgfHwgKHNpemUgPiBfTUFYX05FVF9QQUNLRVRfU0laRSkgKSB7CiAgICAgICAgICAgICAg ICAgTE9HKCAoIk9uUmVhZFN0cmVhbVNlcnZlciA6IEludmFsaWQgUGFja2V0IFNpemUgJWQiLCBz aXplKSApOwogICAgICAgICAgICAgICAgIHJlY3ZvZmZzZXQgPSAwOwogICAgICAgICAgICAgICAg IGNsaWVudC0+aGVhZGVyaW5jb21wbGV0ZSA9IGZhbHNlOwpAQCAtMjI0LDcgKzIyNCw3IEBACiAK ICAgICAgICAgICAgICAgICBzaXplID0gaHRvbDE2KCooKGludDE2X3QqKSB0ZW1wYnVmZmVyKSk7 CiAKLSAgICAgICAgICAgICAgICBpZiAoIChzaXplIDwgMCkgfHwgKHNpemUgPiBfTUFYX05FVF9Q QUNLRVRfU0laRSkgKSB7CisgICAgICAgICAgICAgICAgaWYgKCAoc2l6ZSA8IDIpIHx8IChzaXpl ID4gX01BWF9ORVRfUEFDS0VUX1NJWkUpICkgewogICAgICAgICAgICAgICAgICAgICBMT0coICgi T25SZWFkU3RyZWFtU2VydmVyIDogSW52YWxpZCBQYWNrZXQgU2l6ZSAlZCIsIHNpemUpICk7CiAg ICAgICAgICAgICAgICAgICAgIHJlY3ZvZmZzZXQgPSAwOwogICAgICAgICAgICAgICAgICAgICBj bGllbnQtPm1lc3NhZ2VpbmNvbXBsZXRlID0gZmFsc2U7CkBAIC0yNjYsNyArMjY2LDcgQEAKICAg ICAgICAgICAgIH0gZWxzZSBpZiAocmVjdnNpemUgPj0gMikgewogICAgICAgICAgICAgICAgIHNp emUgPSBodG9sMTYoKigoaW50MTZfdCopIChyZWN2YnVmZmVyICsgcmVjdm9mZnNldCkpKTsKIAot ICAgICAgICAgICAgICAgIGlmKCAoc2l6ZSA8IDApIHx8IChzaXplID4gX01BWF9ORVRfUEFDS0VU X1NJWkUpICkgeworICAgICAgICAgICAgICAgIGlmKCAoc2l6ZSA8IDIpIHx8IChzaXplID4gX01B WF9ORVRfUEFDS0VUX1NJWkUpICkgewogICAgICAgICAgICAgICAgICAgICBMT0coICgiT25SZWFk U3RyZWFtU2VydmVyIDogSW52YWxpZCBQYWNrZXQgU2l6ZSAlZCIsIHNpemUpICk7CiAgICAgICAg ICAgICAgICAgICAgIHJlY3ZvZmZzZXQgPSAwOwogICAgICAgICAgICAgICAgICAgICBjbGllbnQt PnRlbXBvZmZzZXQgPSAwOwo=