------------------------------------ A] crash caused by big descriptor ID ------------------------------------ The game uses an array of 400 descriptors, but clients can pass their descriptor ID using 16 bits numbers (so until 65535). In short a packet with an ID major than 400 is able to crash the server due to the access to an unallocated zone of the array. ------------------------------- B] crash caused by big claim_id ------------------------------- Just like the bug described before, exists a problem in the calling of the ANET_AddrCompare() function where is passed the peers structure (an array of 18 elements) pointing to the 16 bits value passed by the client at the end of his packet. ------------------------------------------- C] socket unreacheable through empty packet ------------------------------------------- The game uses asynchronous sockets through the usage of FIONREAD that returns the number of bytes received in the last packet (0 if there are no new packets). If the server receives an empty UDP packet it will continue to check the socket's queue infinitely since there are still 0 bytes and in the meantime it cannot handle other packets so all the clients will be automatically disconnected from him. The situation returns normal only when a new map starts and, so, the socket is recreated. -------------------------------- D] fake players temporary freeze -------------------------------- Simple, the server and any connected client freeze completely if too much players join and don't send data (time out). So an attacker can fill the server with fake players and when a new map starts (races on Armagetron are enough shorts) nobody will be able to play in that server.
Not sure we should do anything here. Remote players can crash the game server or slow it down... But since there is no patch and upstream is dead, we probably won't fix it. It's not even worth masking since it could almost be seen as a bug, given the scope of the Armagetron game server. games herd, opinion ?
Is there the possibility of remote code execution? It sounds like there's just some DOS issues but you can do that without any code problems.
It's just a bunch of DOS issues.
21:05 <@wolf31o2> lewk^: I stick by Mr_Bones_ on it... I could care less about it and wouldn't have a problem masking it if that was what was decided... So, shall we mask it, or leave it alone? CANTFIX/INVALID has my vote.
yeah, lets just mask it ... that way if someone feels like fixing it, it'll still be around for them to get easy access to
OK for masking... someone with masking powers please do it :)
Masked
there's a new release upstream, 0.2.6.1, that fixes the vulns. There's also a 0.2.7.1 release for armagetron advanced, whatever that is.
games team: time for a bump ?
games team: *bump*
Back to enhancement scope, since the games team apparently has no interest in bumping this.
Actually, this one is in my TODO list, but my main dev box hasn't been working for a while, so I can't really do much with it at the moment.
0.2.6.1 is now in portage ... but i have no idea if it's supposed to have the fix ?
err duh, Comment #8 says it's fixed in 0.2.6.1 ;) unmasked
Ready for GLSA vote. I vote no, see above comments
also voting no -> closing
