Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836327 (CVE-2022-23884) - <games-server/bedrock-server-1.18.2.01: integer overflow
Summary: <games-server/bedrock-server-1.18.2.01: integer overflow
Status: RESOLVED FIXED
Alias: CVE-2022-23884
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://s3.bmp.ovh/imgs/2022/01/962e0...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-28 16:03 UTC by John Helmert III
Modified: 2022-04-03 10:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-28 16:03:59 UTC 
CVE-2022-23884:

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).


No idea about affected versions, or a fix.
Comment 1 Conrad Kostecki gentoo-dev 2022-03-28 16:40:53 UTC 
Is there more source than a picture? I am also not sure, what version is affected. Picture shows "1.18.2.i64".

I guess, 1.18.2.03 could be affected then, which is stable in tree.
But we do also have 1.18.12.01, which is testing, but the newest one.

https://nvd.nist.gov/vuln/detail/CVE-2022-23884 speaks clealy about 1.18.2.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-28 16:43:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8cf87323fc984138c9c11e8a4eab0a85bf2c136

commit e8cf87323fc984138c9c11e8a4eab0a85bf2c136
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-03-28 16:42:42 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-03-28 16:42:58 +0000

    games-server/bedrock-server: drop 1.18.2.03
    
    Bug: https://bugs.gentoo.org/836327
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 games-server/bedrock-server/Manifest               |  1 -
 .../bedrock-server/bedrock-server-1.18.2.03.ebuild | 54 ----------------------
 2 files changed, 55 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e1f6bd12afbbfb6b8627e4f7e8aa2b56fc6786b

commit 2e1f6bd12afbbfb6b8627e4f7e8aa2b56fc6786b
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-03-28 16:42:08 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-03-28 16:42:08 +0000

    games-server/bedrock-server: amd64 stable
    
    Bug: https://bugs.gentoo.org/836327
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 games-server/bedrock-server/bedrock-server-1.18.12.01.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Conrad Kostecki gentoo-dev 2022-03-28 16:49:59 UTC 
https://github.com/nt1dr/CVE-2021-45383 include a POC.
But I am not really shure, if I want to test that. Dump seems binary and I don't trust it from an unknown Github source.

But Github clearly speaks of 1.18.2.03.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-03 03:10:44 UTC 
I've been able to confirm that 1.18.2.03 is affected and 1.18.12.01 is fixed.

GLSAs are unlikely to be helpful for a software like this, so no GLSA. Minimal impact anyway. All done!
Comment 5 Conrad Kostecki gentoo-dev 2022-04-03 10:32:55 UTC 
Thank you!