http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 Description: The problem is a format string bug in the Classes management. Each time a client connects to a server it sends the names of the objects it uses (called classes). If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server. Affected ebuilds: UT2003, America's Army, ... (maybe more, i'm not a game freak)
i'm not 100% sure but i believe UT-451 and UT:GOTY-451 are not affected the post-436 versions of UT are maintained by this group: http://utpg.org/ their news page talks about 'Fix for Player Login Crash Bug' (dated Jul-16-03) the 451 have these fixes
No idea SpanKY - from the linked bugtraq msg: >About UT and UT2003: >EpicGames refused to release a quick-fix for UnrealTournament and >UnrealTournament 2003 so the fix was inserted in the planned patch >as they do for graphic bugs and other small problems... the patch has >not been released yet and is impossible to know when it will be ready.
I am looking into this and will hopefully have a solution some time soon. However, given Epic's take on such things, I doubt we will see any form of fix until they release their next round of patches.
Is there any word on Epic IRT this?? Thanks! -C
Epic? Security fix? Surely you jest! Epic doesn't release "hot fixes" of any kind, so we have to wait until the next full patch before this will get fixed.
Wow. This is kinda a serious problem with QA. Exploitable packages should not be in the portage tree. If no fix exists then It should be masked. But I/we know that masking games might not fly. But reading .. "About UT and UT2003: EpicGames refused to release a quick-fix for UnrealTournament and UnrealTournament 2003 so the fix was inserted in the planned patch as they do for graphic bugs and other small problems... the patch has not been released yet and is impossible to know when it will be ready."
Because this bug allows arbitrary remote code execution, I consider it a fairly serious issue. Consequently, the security team intends to hard mask any affected packages on or after 0600 on Wednesday. comments/concerns should be posted to the thread on gentoo-core and/or here. --kurt
errr....make that 0600 on Thursday...
The following packages are expected to be masked because of this: games-fps/unreal games-fps/unreal-tournament games-fps/unreal-tournament-goty games-fps/unreal-tournament-infiltration games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks games-fps/ut2003-bonuspack-epic games-fps/ut2003 games-fps/ut2003-demo games-server/ut2003-ded games-fps/americas-army Some of these packages may not be directly affected, but depend on other packages that are, so masking them as well limits the tree breakage. If we determine that some/all of these games are, in fact, not vulnerable to the reported bug, we can unmask them individually as necessary.
after looking at the site Mike posted above, we may be able to avoid masking: games-fps/unreal-tournament games-fps/unreal-tournament-goty games-fps/unreal-tournament-infiltration games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks Not sure about games-fps/unreal, however.
there are a few parts to unreal ... (1) it can only use the UT libraries from 436 atm ... 451 crashes it (2) it's a single player game and although it is possible to host a server with it, i dont know of anyone who would do so for the internet ... it's only compatible with the same setup (linux unreal binary built on top of UT 436 libraries) ... in other words, Windows Unreal and UT (on any OS) is not compatible
From the utpg.org home page news item: -------------------------------------------------------- Fix for Player Login Crash Bug UT General :: Jul-16-03 From UnrealAdmin.org, here is a fix for the player login crash bug. This will be incorporated into the next patch as well: All admins are advised to open their Core.int files and modify the following entry: LoadClassMismatch=%s is not a child class of %s.%s Change it to read: LoadClassMismatch=%s is not a child class of %s. This will prevent malicious clients from crashing your server by specifying an invalid player class when logging in. This fix should only be applied to Unreal Tournament servers, and you should restart your server after modifying the Core.int file in order to apply the changes. -------------------------------------------------------- That does not appear to be a fix for the issue reported in this bug: "If an attacker uses a class name containing format parameters (as %n, %s and so on) he will be able to crash or also to execute malicious code on the remote server." As such, recommending we hard mask all packages for now until we have enough time to test/validate vulnerability.
Discussed with Mike on IRC. Masking packages for now until we have more time to test. Pointed Mike to the POC at http://aluigi.altervista.org/poc/unrfs-poc.zip. He will test on Thurs.
ut2003, ut2003-bonuspack-epic, ut2003-ded, ut2003-demo, and americas-army have been fixed.
Maybe we should issue a "Temporary" GLSA with the partial fix and reasons why the other packages are masked ?
just tested ut-451 and it is not fixed utpg.org has released 451b to 'Fixed a couple of bugs that caused the client and server to crash when invalid classes are loaded' however, they've only released for windows ... i e-mailed them asking about the linux version
utpg got back to me and they said they're working on 451b for linux and it should 'be out shortly' ... we could wait for them before issuing a GLSA as i think it's the only game that'll be addressed in the near future ...
Still no sign of 451B for Linux on utpg.org. I think we should release a GLSA, unless someone has inside contacts with utpg defining what they mean by "shortly". -K
Reemailed UTPG team to ask for Linux patch availability dates
Status update (masked ebuilds)
There is a 451b of UTPG now... perhaps we should revisit this now?
Nevermind... I see now that it is the Windows version... perhaps I should read better before posting...
CondorDes: It's now assigned to you -- please check now and then if UTPG finally released that 451B patch for Linux : http://utpg.org/
no updates on this bug in forever -- site hasn't been updated since before that. packages are hard-masked. assuming this is a bug upstream doesn't plan to fix. closing as cantfix. we can re-open if/when upstream fixes.
too bad is there any way to fix this security bug OUTSIDE unreal??? without sandboxing unreal??? such as tcp-ip filtering???
No. The only solution is to not run a server. games-fps/unreal games-fps/unreal-tournament games-fps/unreal-tournament-goty These are still vulnerable (and masked) because of this and we don't ever expect there to be a proper fix for them.
(In reply to comment #26) > No. > > The only solution is to not run a server. > > games-fps/unreal > games-fps/unreal-tournament > games-fps/unreal-tournament-goty > > These are still vulnerable (and masked) because of this and we don't ever > expect there to be a proper fix for them. > so this is only for a SERVER? if i run unreal and i conect to a server i have no risk at all?(with this bug) that is great...i haven't understood this that way so if i don't serve a game and sandbox the server app(i've a working uml) i'll be able to play this game... thank a lot
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b093e47371dceaf8e3daaa099a8c20cba1a6d0c commit 8b093e47371dceaf8e3daaa099a8c20cba1a6d0c Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-12-08 21:08:20 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-12-08 21:08:20 +0000 games-fps/*: drop last-rited pkgs Bug: https://bugs.gentoo.org/44351 Signed-off-by: Aaron Bauman <bman@gentoo.org> games-fps/aaut/aaut-1.ebuild | 23 --- games-fps/aaut/files/aaut | 5 - games-fps/aaut/metadata.xml | 15 -- games-fps/unreal-tournament-bonuspacks/Manifest | 1 - .../unreal-tournament-bonuspacks/metadata.xml | 8 - .../unreal-tournament-bonuspacks-436.ebuild | 46 ------ games-fps/unreal-tournament-goty/Manifest | 2 - games-fps/unreal-tournament-goty/metadata.xml | 36 ----- .../unreal-tournament-goty-451.ebuild | 171 --------------------- games-fps/unreal-tournament-strikeforce/Manifest | 3 - .../unreal-tournament-strikeforce/metadata.xml | 8 - .../unreal-tournament-strikeforce-1.81.ebuild | 46 ------ profiles/package.mask | 11 -- 13 files changed, 375 deletions(-)
