Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142389 - games-strategy/warzone2100 - buffer overflows (CVE-2006-3849)
Summary: games-strategy/warzone2100 - buffer overflows (CVE-2006-3849)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/warz...
Whiteboard: ~1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-01 02:11 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-12-29 01:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-08-01 02:11:33 UTC
-------------------------------------
A] buffer-overflow in recvTextMessage
-------------------------------------

recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:

  player_name : message

The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can cause a buffer-overflow for crashing the server or
executing malicious code.

From src/multiplay.c:

BOOL recvTextMessage(NETMSG *pMsg)
{
    DPID    dpid;
    UDWORD  i;
    STRING  msg[MAX_CONSOLE_STRING_LENGTH];

    NetGet(pMsg,0,dpid);
    for(i = 0; NetPlay.players[i].dpid != dpid; i++);
//findplayer

    strcpy(msg,NetPlay.players[i].name);
// name
    strcat(msg," : ");
// seperator
    strcat(msg, &(pMsg->body[4]));
    ...


---------------------------------
B] buffer-overflow in NETrecvFile
---------------------------------

The NETrecvFile function used by the clients for downloading remote
files is affected by a buffer-overflow caused by the copying of a
string of max 255 bytes in the fileName buffer of only 128 bytes.

From lib/netplay/netplay.c:

UBYTE NETrecvFile(NETMSG *pMsg)
{
    UDWORD          pos, fileSize, currPos, bytesRead;
    char            fileName[128];
    unsigned int        len;
    static PHYSFS_file  *pFileHandle;

    //read incoming bytes.
    NetGet(pMsg,0,fileSize);
    NetGet(pMsg,4,bytesRead);
    NetGet(pMsg,8,currPos);

    // read filename
    len = (unsigned int)(pMsg->body[12]);
    memcpy(fileName,&(pMsg->body[13]),len);
    ...


http://aluigi.altervista.org/adv/warzonebof-adv.txt
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-08-02 06:54:01 UTC
This one looks more serious. Anything upstream ?
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-08-06 19:55:40 UTC
package masked.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-07 00:50:41 UTC
Thx Mr. Bones.

This one is ready for a masking GLSA.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-10 12:23:25 UTC
GLSA 200608-16
Comment 5 Dennis Schridde 2006-08-22 04:26:51 UTC
Is there a chance for me to get notified of such bugs directly when they pop up?
I am a Warzone dev and would like to know when bugs appear in my game.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-22 22:11:49 UTC
One way would be to set your Bugzilla account to watch security@gentoo.org and filter on the email subject where warzone should appear.
Comment 7 Mr. Bones. (RETIRED) gentoo-dev 2006-08-26 19:31:19 UTC
fixed version in portage.
removed from package.mask.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-29 11:42:27 UTC
It appears to me that this should be ~1 instead of B1, was this ever stable?
Comment 9 Tristan Heaven (RETIRED) gentoo-dev 2006-09-04 10:07:51 UTC
(In reply to comment #8)
> was this ever stable?

no
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-04 10:24:50 UTC
Seems like the B rating was wrong then. 

GLSA updated. 

I think we should just close this one now. Comments?
Comment 11 Dennis Schridde 2006-12-24 16:30:10 UTC
Are there still issues???
We just released 2.0.5 and haven't heard of any problems since a long while...
Comment 12 Mr. Bones. (RETIRED) gentoo-dev 2006-12-28 23:51:57 UTC
Just waiting for the security team to close I imagine.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-29 01:43:54 UTC
Closing and Happy New Year everyone.