Gentoo Bug 142389 - games-strategy/warzone2100 - buffer overflows (CVE-2006-3849)

Description:

Opened: 2006-08-01 02:11 0000

-------------------------------------
A] buffer-overflow in recvTextMessage
-------------------------------------

recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:

  player_name : message

The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can cause a buffer-overflow for crashing the server or
executing malicious code.

From src/multiplay.c:

BOOL recvTextMessage(NETMSG *pMsg)
{
    DPID    dpid;
    UDWORD  i;
    STRING  msg[MAX_CONSOLE_STRING_LENGTH];

    NetGet(pMsg,0,dpid);
    for(i = 0; NetPlay.players[i].dpid != dpid; i++);
//findplayer

    strcpy(msg,NetPlay.players[i].name);
// name
    strcat(msg," : ");
// seperator
    strcat(msg, &(pMsg->body[4]));
    ...


---------------------------------
B] buffer-overflow in NETrecvFile
---------------------------------

The NETrecvFile function used by the clients for downloading remote
files is affected by a buffer-overflow caused by the copying of a
string of max 255 bytes in the fileName buffer of only 128 bytes.

From lib/netplay/netplay.c:

UBYTE NETrecvFile(NETMSG *pMsg)
{
    UDWORD          pos, fileSize, currPos, bytesRead;
    char            fileName[128];
    unsigned int        len;
    static PHYSFS_file  *pFileHandle;

    //read incoming bytes.
    NetGet(pMsg,0,fileSize);
    NetGet(pMsg,4,bytesRead);
    NetGet(pMsg,8,currPos);

    // read filename
    len = (unsigned int)(pMsg->body[12]);
    memcpy(fileName,&(pMsg->body[13]),len);
    ...


http://aluigi.altervista.org/adv/warzonebof-adv.txt

------- Comment #1 From Thierry Carrez (RETIRED) 2006-08-02 06:54:01 0000 -------

This one looks more serious. Anything upstream ?

------- Comment #2 From Mr. Bones. 2006-08-06 19:55:40 0000 -------

package masked.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-08-07 00:50:41 0000 -------

Thx Mr. Bones.

This one is ready for a masking GLSA.

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-08-10 12:23:25 0000 -------

GLSA 200608-16

------- Comment #5 From Dennis Schridde 2006-08-22 04:26:51 0000 -------

Is there a chance for me to get notified of such bugs directly when they pop
up?
I am a Warzone dev and would like to know when bugs appear in my game.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-08-22 22:11:49 0000 -------

One way would be to set your Bugzilla account to watch security@gentoo.org and
filter on the email subject where warzone should appear.

------- Comment #7 From Mr. Bones. 2006-08-26 19:31:19 0000 -------

fixed version in portage.
removed from package.mask.

------- Comment #8 From Sune Kloppenborg Jeppesen 2006-08-29 11:42:27 0000 -------

It appears to me that this should be ~1 instead of B1, was this ever stable?

------- Comment #9 From Tristan Heaven 2006-09-04 10:07:51 0000 -------

(In reply to comment #8)
> was this ever stable?

no

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-09-04 10:24:50 0000 -------

Seems like the B rating was wrong then. 

GLSA updated. 

I think we should just close this one now. Comments?

------- Comment #11 From Dennis Schridde 2006-12-24 16:30:10 0000 -------

Are there still issues???
We just released 2.0.5 and haven't heard of any problems since a long while...

------- Comment #12 From Mr. Bones. 2006-12-28 23:51:57 0000 -------

Just waiting for the security team to close I imagine.

------- Comment #13 From Sune Kloppenborg Jeppesen 2006-12-29 01:43:54 0000 -------

Closing and Happy New Year everyone.

Bug 142389 depends on:			Show dependency tree
Bug 142389 blocks:			Show dependency tree

Bugzilla Bug 142389

games-strategy/warzone2100 - buffer overflows (CVE-2006-3849)

Last modified: 2006-12-29 01:43:54 0000