Comment 1 Carsten Lohrke (RETIRED) 2005-11-03 15:39:27 UTC

Created attachment 72076 [details]
advisory.txt

Luigi Auriemma's advisory web page links are dead, so here's a text copy from
full-disclosure.

Comment 2 Mr. Bones. (RETIRED) 2005-11-04 08:40:34 UTC

Package masked until upstream addresses the issue.

Comment 3 Thierry Carrez (RETIRED) 2005-11-05 09:42:19 UTC

Maybe a masking GLSA is in order.

Comment 4 Thierry Carrez (RETIRED) 2005-11-10 06:59:39 UTC

Security please vote on masking GLSA need.

Should we issue a GLSA describing the issue and advising users to unmerge the
package ? This masking GLSA would be updated with a final one when/if this is
fixed upstream one day.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2005-11-10 07:06:41 UTC

I tend to vote YES, this is not DoS only. 

Comment 6 Tavis Ormandy (RETIRED) 2005-11-14 01:24:49 UTC

vote YES on masking glsa.

Comment 7 Thierry Carrez (RETIRED) 2005-11-14 02:35:42 UTC

Then we should do one. I'll handle it...

Comment 8 Thierry Carrez (RETIRED) 2005-11-15 04:52:54 UTC

Mask GLSA 200511-12
Setting to enhancement, Waiting on upstream version fix.

Any word from upstream on this?

Comment 10 Chris Gianelloni (RETIRED) 2006-06-14 13:50:31 UTC

Upstream is dead.  However, I've been working with the Fedora packager to try to sync up our patches between our two distributions.  It might be a little while, but I'll get to it.

Great, thanks so much for the work and the update!

</forums-over-bugzilla>

These bugs have been addressed for the soon to be released v40 of this.

Referencing the bugs as listed in "advisory.txt":

A] format string and buffer-overflow in addLine and SendString*

vsprintf is no longer used at all.

B] server freeze through negative numplayers

These values now use an unsigned int

C] ComsMessageHandler buffer-overflow

sprintf has been replaced by snprintf to prevent this.

D] various crashes and possible code execution in Logger.cpp

These have been addressed in the same fashion as the string overflows above.

Version 40 of Scorched3d will be released over the next couple days, and I'm looking forward to getting it back into the portage tree!

Diff for scorched3d-40.ebuild:
diff scorched3d-39.1-r1.ebuild scorched3d-40.ebuild
3c3
< # $Header: /var/cvsroot/gentoo-x86/games-strategy/scorched3d/scorched3d-39.1-r1.ebuild,v 1.1 2006/05/12 18:40:23 wolf31o2 Exp $
---
> # $Header: /var/cvsroot/gentoo-x86/games-strategy/scorched3d/scorched3d-40.ebuild,v 1.0 2006/07/09 13:34:00 cbx550f Exp $
13,14c13,14
< KEYWORDS="~amd64 ~ppc ~x86"
< IUSE="mysql"
---
> KEYWORDS="~amd64 ~ppc x86"
> IUSE="mysql vorbis"
23c23,24
<       mysql? ( dev-db/mysql )"
---
>       mysql? ( dev-db/mysql )
>       vorbis? ( media-libs/libvorbis )"
40a42
>               $(use_with vorbis) \
50,51d51
<       insinto "${GAMES_DATADIR}/scorched3d/data/globalmods/apoc/data/textures/explode/"
<       doins "${FILESDIR}/smoke-orange.bmp" || die "doins failed" #bug #105237


Thank you

Paul Vint (aka cbx550f)

Comment 13 Chris Gianelloni (RETIRED) 2006-08-09 08:36:36 UTC

OK.  Version 40 is released and in the tree.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-09 11:27:26 UTC

Thx Chris.

Arches please test and mark stable.

Comment 15 Tobias Scherbaum (RETIRED) 2006-08-09 13:03:59 UTC

ppc stable

Comment 16 Joshua Jackson (RETIRED) 2006-08-09 21:06:39 UTC

x86 is stable.

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) 2006-08-10 00:43:11 UTC

This one is ready for GLSA.

Comment 18 Raphael Marichez (Falco) (RETIRED) 2006-08-11 02:41:57 UTC

glsa-update sent (200511-12), closing.