Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 136222 - games-action/0verkill: DoS with a short UDP packet
Summary: games-action/0verkill: DoS with a short UDP packet
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/20551/
Whiteboard: B3 [noglsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-09 13:14 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-06-11 03:39 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
0verkill-0.16-underflow-check.patch (0verkill-0.16-underflow-check.patch,675 bytes, patch)
2006-06-10 05:49 UTC, SpanKY 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-09 13:14:02 UTC 
Hi games team,

http://secunia.com/advisories/20551/

Software:	0verkill 0.x

Description:
Federico Fazzi has discovered a vulnerability in 0verkill, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is cause due to an integer underflow error in "recv_packet()" within the handling of a received UDP packet. This can be exploited to cause out-of-bounds memory access which crashes the server process via a UDP packet that is smaller than 12 bytes in size.

The vulnerability has been confirmed in version 0.16. Other versions may also be affected.

Solution:
Host network games only when connected to trusted networks.

Provided and/or discovered by:
Federico Fazzi
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-09 13:14:23 UTC 
waiting for a vendor patch or an official update
Comment 2 SpanKY gentoo-dev 2006-06-10 05:49:33 UTC 
Created attachment 88838 [details, diff]
0verkill-0.16-underflow-check.patch

simple to fix
Comment 3 SpanKY gentoo-dev 2006-06-10 05:49:54 UTC 
0.16-r3 in portage with this patch
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-10 05:57:43 UTC 
Thx Mike.

Arches please test and mark stable.
Comment 5 SpanKY gentoo-dev 2006-06-10 06:01:11 UTC 
already done ;)
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-10 08:01:29 UTC 
That was fast:-)

Time for GLSA vote. I vote NO.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-11 02:07:07 UTC 
no need for a glsa here imho
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-11 03:39:30 UTC 
Two NO votes -> closing without GLSA. Feel free to reopen if you disagree.