Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285010 - games-server/ut200[3,4]-*, games-fps/postal2* Unreal engine DOS (CVE-2008-{6441,7011})
Summary: games-server/ut200[3,4]-*, games-fps/postal2* Unreal engine DOS (CVE-2008-{64...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/31854/
Whiteboard: B2 [ebuild/upstream?]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-14 22:19 UTC by Stefan Behte (RETIRED)
Modified: 2019-12-27 00:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:19:45 UTC
CVE-2008-7011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7011):
  The Unreal engine, as used in Unreal Tournament 3 1.3, Unreal
  Tournament 2003 and 2004, Dead Man's Hand, Pariah, WarPath, Postal2,
  and Shadow Ops, allows remote authenticated users to cause a denial
  of service (server exit) via multiple file downloads from the server,
  which triggers an assertion failure when the Closing flag in
  UnChan.cpp is set.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 11:41:47 UTC
CVE-2008-6441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6441):
  Format string vulnerability in the Epic Games Unreal engine client,
  as used in multiple games, allows remote servers to execute arbitrary
  code via (1) the CLASS parameter in a DLMGR command, (2) a malformed
  package (PKG), and possibly (3) the LEVEL parameter in a WELCOME
  command.

Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 02:15:33 UTC
There appears to be no upstream fix for this. Do we care enough to mask this?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 12:27:06 UTC
Fast forward 2.5 years.  Anyone opposed to last riting these?
Comment 4 Mr. Bones. (RETIRED) gentoo-dev 2016-03-21 19:47:21 UTC
people still play them so there's no reason to last rite them.  i highly doubt anyone is experiencing any issue outside of a research environment.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 23:37:06 UTC
Well from a security standpoint we ought to do something.  At least reverting the items to unstable seems reasonable or a proper warning of the unpatched vulnerabilities.  Additional thoughts?
Comment 6 Mr. Bones. (RETIRED) gentoo-dev 2016-03-21 23:50:57 UTC
that's not what the keywords are for.  I support adding the packages to package.mask so the user gets a message telling them where to get more information though.
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 00:27:46 UTC
PING:

From: 

http://www.securityfocus.com/bid/31205/exploit

Unreal Engine 'UnChan.cpp' Failed Assertion Remote Denial of Service Vulnerability

The following exploit code is available:
/data/vulnerabilities/exploits/31205.zip


From:

http://aluigi.altervista.org/adv/unreaload-adv.txt

======
4) Fix
======


No fix

Exist at least 2 easy work-arounds for this vulnerability:

- setting "AllowDownloads=false" in the INI file of the game.
  naturally this method can't solve the problem if exist other ways
  (of which I'm not aware at the moment) to exploit this vulnerability

- disabling the "!Closing" assertion (tests performed on the Windows
  and Linux servers of some games), the list of the bytes to modify
  with a hex editor is available here:

    http://aluigi.org/patches/unrealoadfix.txt

- there is a "strange" way that has avoided the termination of the
  server (and I report it here only for thoroughness) through the
  enabling of the map voting (like [xVoting.xVotingHandler] and
  bMapVote=True in the INI of UT2003 and UT2004)
Comment 8 Arfrever Frehtes Taifersar Arahesis 2019-12-07 03:10:01 UTC
games-server/ut2004-ded is still in repository.

About games-fps/postal2:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc30f52f63ff7d12cb347187c4bc802533e92fb1

commit dc30f52f63ff7d12cb347187c4bc802533e92fb1
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-11-20 17:11:18 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-11-20 17:27:42 +0000

    games-fps/postal2: drop last-rited package
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>
Comment 9 Larry the Git Cow gentoo-dev 2019-12-08 21:28:02 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e1e96c14effb4f076191f9d8023547cb7e15ff4

commit 5e1e96c14effb4f076191f9d8023547cb7e15ff4
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-12-08 21:21:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-12-08 21:27:53 +0000

    games-server/ut2004-ded: drop vulnerable package
    
    * This should have been dropped along with the other ut2004/unreal engine bugs
    
    Closes: https://bugs.gentoo.org/285010
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 games-server/ut2004-ded/Manifest                   |  3 -
 games-server/ut2004-ded/files/ut2004-ded.confd     |  6 --
 games-server/ut2004-ded/files/ut2004-ded.initd     | 13 ----
 games-server/ut2004-ded/metadata.xml               | 11 ---
 .../ut2004-ded/ut2004-ded-3369.3-r2.ebuild         | 88 ----------------------
 5 files changed, 121 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2019-12-27 00:26:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8901773bdbd36ccf9157642a98e5f39fd0245e54

commit 8901773bdbd36ccf9157642a98e5f39fd0245e54
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2019-12-27 00:19:18 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2019-12-27 00:25:53 +0000

    Revert "games-server/ut2004-ded: drop vulnerable package"
    
    This reverts commit 5e1e96c14effb4f076191f9d8023547cb7e15ff4.
    
    This package was dropped because of CVE-2008-6441 and
    CVE-2008-7011. However, UT2004 was reported to *not* be vulnerable to
    the former and the latter was almost certainly fixed in 3369.3. I
    cannot find any release notes but the published workaround related to
    3369.2 and 3369.3 was built just three days after the vulnerability
    was announced.
    
    Bug: https://bugs.gentoo.org/285010
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 games-server/ut2004-ded/Manifest                   |  3 +
 games-server/ut2004-ded/files/ut2004-ded.confd     |  6 ++
 games-server/ut2004-ded/files/ut2004-ded.initd     | 13 ++++
 games-server/ut2004-ded/metadata.xml               | 11 +++
 .../ut2004-ded/ut2004-ded-3369.3-r2.ebuild         | 88 ++++++++++++++++++++++
 5 files changed, 121 insertions(+)