Bug 125647 - games-action/bzflag - server can be crashed remotely
Bug#: 125647 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL:  http://aluigi.altervista.org/adv/bzflagboom-adv.txt
Summary: games-action/bzflag - server can be crashed remotely
Keywords:  
Status Whiteboard: B3 [noglsa] jaervosz
Opened: 2006-03-09 14:25 0000
Description:   Opened: 2006-03-09 14:25 0000 
The callsigns used by the clients are not checked or re-delimited by
the server so is possible for a client to pass a callsign with no NULL
bytes at its end causing problems (crash) to the server during the
handling of this string.
On both Linux and Windows for x86 (using the precompiled packages) I
have reached the server crash without problems but is possible that in
some configurations the crash could happen after many tries or also
never, depending by how the memory is handled on that platform.

The bug can be exploited also versus password protected servers without
knowing the right keyword.

http://aluigi.altervista.org/adv/bzflagboom-adv.txt

------- Comment #1 From Thierry Carrez (RETIRED) 2006-03-11 03:25:07 0000 ------- 
One more on games team plate.
Too bad Luigi decided to do more auditing on games servers while our games team
is silent :)

------- Comment #2 From Mr. Bones. 2006-03-11 20:35:27 0000 ------- 
it's masked.

------- Comment #3 From David Grant 2006-03-12 20:08:07 0000 ------- 
Can bzflag be split into server and client ebuilds? It sounds like this doesn't
affect the client.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-03-13 10:30:28 0000 ------- 
No masking GLSA as this is not a critical security issue.
Setting this to enhancement to remember to remove bzflag at some point in the
future.

Asking to separate between server and client should be done a separate
non-security bug, assigend to teh games team.

------- Comment #5 From Tupone Alfredo 2006-03-13 10:38:34 0000 ------- 
remove? For about a 4 lines patch to apply ? :( 
I love bzflag

------- Comment #6 From Benno Schulenberg 2006-03-14 11:26:20 0000 ------- 
At comment #5: which 4-line patch, Tupone?  Please attach?

------- Comment #7 From Tupone Alfredo 2006-03-14 11:38:45 0000 ------- 
Created an attachment (id=82128) [details]
bzflag-callsignfix.patch

Patch to fix callsign, and others, ... overflow

------- Comment #8 From Chris Gianelloni (RETIRED) 2006-03-14 13:47:12 0000 ------- 
Tupone: feel free to fix the package and unmask it instead, as an actual fix is
*always* the preferred solution.

------- Comment #9 From Tupone Alfredo 2006-03-19 13:36:39 0000 ------- 
Fixed in CVS.
Please stabilize bzflag-2.0.4.20050930

------- Comment #10 From Tupone Alfredo 2006-03-19 13:37:30 0000 ------- 
I meant to stabilize bzflag-2.0.4.20050930-r1
Sorry

------- Comment #11 From Tupone Alfredo 2006-03-20 12:12:51 0000 ------- 
security flaw fixed.
package unmasked

------- Comment #12 From Chris Gianelloni (RETIRED) 2006-03-22 06:42:54 0000 ------- 
I've marked this stable on x86.

------- Comment #13 From Luis Medinas (RETIRED) 2006-03-22 17:19:24 0000 ------- 
stable on amd64.

------- Comment #14 From Tupone Alfredo 2006-03-22 22:51:50 0000 ------- 
It was marked stable on ppc
I think bug could be closed

------- Comment #15 From Sune Kloppenborg Jeppesen 2006-03-22 23:25:41 0000 ------- 
This one is ready for GLSA decision. I tend to vote NO.

------- Comment #16 From Thierry Carrez (RETIRED) 2006-03-26 09:26:46 0000 ------- 
I tend to vote NO too for DoS on game server. Closing, feel free to reopen if
you disagree.