Bugzilla Bug 39302

games-strategy/scorched3d-36.2 suffers from a format string problem that
crashes   clients and servers. If this is used while playing standalone, the
client will crash. If this is used while playing on a server, the server will
crash, and all clients will be disconnected.

Bring up a chat box while in the game (T key), and type %n%n%n , and hit enter.
You will see the above results.

This is gdb output from when the game was started as a server. Then I connected
as a client, performed the above steps. Server crashed, and I did a backtrace:

Starting program: /usr/games/bin/scorched3d
(no debugging symbols found)...(no debugging symbols found)...[Thread debugging
using libthread_db enabled]
[New Thread 16384 (LWP 15861)]

(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 32769 (LWP 15900)]
[New Thread 16386 (LWP 15901)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15861)]
0x40873de8 in vfprintf () from /lib/libc.so.6
(gdb) backtrace
#0  0x40873de8 in vfprintf () from /lib/libc.so.6
#1  0x4088e23c in vsprintf () from /lib/libc.so.6
#2  0x0809302e in std::basic_string<char, std::char_traits<char>,
std::allocator<char> > std::operator+<char, std::char_traits<char>,
std::allocator<char> >(char const*, std::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
#3  0x0815cce0 in wxBitmapButtonBase::SetLabel(wxString const&) ()
#4  0x0818a3b7 in wxMenuItemList::~wxMenuItemList() ()
#5  0x080eb683 in std::basic_string<char, std::char_traits<char>,
std::allocator<char> > std::operator+<char, std::char_traits<char>,
std::allocator<char> >(char const*, std::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
#6  0x080ee7d0 in std::basic_string<char, std::char_traits<char>,
std::allocator<char> > std::operator+<char, std::char_traits<char>,
std::allocator<char> >(char const*, std::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
#7  0x081859f8 in wxMenuItemList::~wxMenuItemList() ()
#8  0x4052188d in wxEvtHandler::SearchEventTable(wxEventTable&, wxEvent&) ()
   from /usr/lib/libwx_gtk-2.4.so
#9  0x405216b3 in wxEvtHandler::ProcessEvent(wxEvent&) ()
   from /usr/lib/libwx_gtk-2.4.so
#10 0x405d50db in wxTimerBase::Notify() () from /usr/lib/libwx_gtk-2.4.so
#11 0x404cc44d in timeout_callback () from /usr/lib/libwx_gtk-2.4.so
#12 0x40e03ecb in g_timeout_dispatch () from /usr/lib/libglib-1.2.so.0
#13 0x40e0462e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#14 0x40e043eb in g_main_iterate () from /usr/lib/libglib-1.2.so.0
---Type <return> to continue, or q <return> to quit---
#15 0x40e03384 in g_main_run () from /usr/lib/libglib-1.2.so.0
#16 0x40cefbf7 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#17 0x404786c9 in wxApp::MainLoop() () from /usr/lib/libwx_gtk-2.4.so
#18 0x404dbfa7 in wxAppBase::OnRun() () from /usr/lib/libwx_gtk-2.4.so
#19 0x40478edd in wxEntry(int, char**) () from /usr/lib/libwx_gtk-2.4.so
#20 0x08177791 in wxMenuItemList::~wxMenuItemList() ()
#21 0x4083f7a7 in __libc_start_main () from /lib/libc.so.6
#22 0x08055711 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y



Portage 2.0.49-r18 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.6.1)
=================================================================
System uname: 2.6.1 i686 AMD Athlon(TM) XP 1800+
Gentoo Base System version 1.4.3.10p1
distcc 2.12.1 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.3 [enabled]
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-fstack-protector -O2 -march=athlon-xp -fomit-frame-pointer
-funroll-loops -fprefetch-loop-arrays -pipe -mmmx -msse -m3dnow
-mfpmath=sse,387"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-fstack-protector -O2 -march=athlon-xp -fomit-frame-pointer
-funroll-loops -fprefetch-loop-arrays -pipe -mmmx -msse -m3dnow
-mfpmath=sse,387"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs buildpkg ccache notitles sandbox"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://gentoo.noved.org/
http://mirror.tucdemonic.org/gentoo/
http://mirror.clarkson.edu/pub/distributions/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="3dnow X aalib alsa apm avi berkdb cdr crypt cups dv encode foomaticdb gdbm
gif gnome gpm gtk gtk2 imlib java jpeg kde ldap libg++ libwww mad mikmod mmx
motif mozilla mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python
qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd tiff truetype x86
xml2 xmms xv zlib"

unless it's exploitable theres no need for security to be involved

is this known upstream ?

I do not know if upstream is aware of this.

Also, I don't know if this accomplishes anything but I recompiled it with -fstack-protector in CFLAGS , which is supposed to turn on propolice in GCC. Game  runs fine, however still crashes as above. Perhaps this alieviates real security problems that may stem from this? Just guessing.

I'm adding security back in because this is exploitable. Read paragraph 2,
Mike, please...

i dont see anything anywhere that says 'exploitable' ...

DoS (crashing the server and punting the clients) is not GLSA worthy ...

so what am i missing ? :p

The %n is format string is what leads to heap overflows. There have been 
quite a number of papers published on this subject.

I've unpacked the scorched3d source and took a peek and I got to say 
there are quite a few potential attack vectors in it.

Code such as printf(foo); often indicates a bug, since foo may contain a 
% character.  If foo comes from untrusted user input, it may contain %n,
causing the printf call to write to memory and creating a security hole.

In theory sending a carefully crafted (perhaps udp) packet to somebody 
connected to a scorched3d server could cause remote clients to crash or even
execute arbitrary code.

Created an attachment (id=24409) [details]
incomplete-bounds-checking.diff

More auditing needs to be done.

untested and incomplete patch by itself. It's a start for anybody interested in
adding basic bounds checking.

i got a reply back from the author and he said he'll tackle it:

Thanks for the e-mail.  I will fix that, should be fairly easily done.
I should have thought of it really :).

I have also seen the patch on the link you sent, although snprintf would
be a good idea, there is no equivalent on windows.  This may not be so
easily done.

games-strategy/scorched3d-37 is in portage

a glsa can go out now

Changing product to GLSA

GLSA on its way

GLSA 200404-12