Luigi Auriemma has reported some vulnerabilities in Doomsday, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. 1) A boundary error exists within the "D_NetPlayerEvent()" function in d_net.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server. Successful exploitation may allow the execution of arbitrary code on the game server and the connected clients. 2) A boundary error exists within the "Msg_Write()" function in net_msg.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server. 3) An integer underflow error exists within the "Sv_HandlePacket()" in sv_main.c when processing chat messages. This can be exploited to trigger a failure to allocate required memory, which leads to a DoS. 4) A boundary error exists within the "NetSv_ReadCommands()" function in d_netsv.c when processing client commands. This can be exploited to overflow a static buffer by sending more than 30 commands to the affected server. 5) A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages. NOTE: An error in the processing of chat messages may leave a string without a NULL character at the end. This may trigger other vulnerabilities. The vulnerabilities are reported in version 1.9.0-beta5.1 and prior. Other versions may also be affected.
CC'ing herd and setting whiteboard status.
masked
The security issues seems to be solved in the security update 1.9.0_beta5.2 release (what a horrible versioning scheme *_* ) http://sourceforge.net/forum/forum.php?forum_id=736045 Is it sufficient to update the ebuild, right?
Should be fixed in beta5.2 which I just put into portage.
You can remove the p.mask on this ebuild then. doomsday-1.9.0_beta4 was stable before masking, so to not introduce version regrssions, this should go stable too. Bones, what do you think about stabling 5.2?
sounds good to me. I went ahead on that.
(In reply to comment #5) > You can remove the p.mask on this ebuild then. > > doomsday-1.9.0_beta4 was stable before masking, so to not introduce version > regrssions, this should go stable too. Bones, what do you think about stabling > 5.2? I suggest to *NOT* mark as stable this version, because it still contains several bugs, one of which has been reported in this [1] Gentoo Forums topic; see also the linked Doomsday bug report [2] (and IMHO this bug is quite annoying) I've also the bad sensation that the future of the development of this engine wouldn't be so shiny... [3] :( [1] http://forums.gentoo.org/viewtopic-t-622382.html [2] http://sourceforge.net/tracker/index.php?func=detail&aid=1807891&group_id=74815&atid=542099 [3] http://www.dengine.net/blog/?p=113#comment-1993
Yeah, welcome to the world of opensource games. It's better then the previously stabled versions so I'm ok with the current state.
glsa request filed.
Upstream confirmed that CVE-2007-4644 was not fixed by the update.
Either this bug should go back into upstream status or we should open another bug for CVE-2007-4644 and release the (corrected) GLSA.
Mr. Bones the most serious issue never got fixed. Please mask it again until we get a fixed version.
done.
Thx.
Any news about this? * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) https://bugs.gentoo.org/show_bug.cgi?id=190835) So when will this will be removed?
(In reply to comment #15) > Any news about this? > > * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository > (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett > <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) > https://bugs.gentoo.org/show_bug.cgi?id=190835) > > So when will this will be removed? > why should it be removed? the mask is here to remind users that this game is currently vulnerable. If upstream releases a new version fixing this issue, it should be unmasked again.
And GLSA 200802-02, sorry for the delay.
mask glsa is not a fix, is it?
We usually leave it open until the ebuild is purged or unmasked and GLSA rereleased.
1.9.0_beta52 is unplayable because of corrupted player control system. So 1.9.0_beta51 shoud be returned to portage...
Upstream pulled beta5.2. It should be remove from Portage, for playability and security reasons. As an alternative, I created Attachment 170876 [details] (also see bug 188895). This uses the same SVN sources that are also used to build the Ubuntu packages and should fix all vulnerabilites, *except* one: > A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages. An dev noted: "I could only ever trigger a DoS with this, no arbitrary code running". It should also work on AMD64 now.
It's currently masked. That's good enough. We'll just pick up their next release.
1.9-beta6.1 has just been released http://www.doomsdayhq.com/
Bumped to 1.9-beta6.2 but I don't know if it's fixed.
doomsday-1.9.0_beta52 is gone. I've removed the entry from package.mask.
Affected version long gone. noglsa.