Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 125289

Summary: games-fps/cube: multiple vulns
Product: Gentoo Security Reporter: Stefan Cornelius (RETIRED) <dercorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: carlo, felix.schuster, games, jkt
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://aluigi.altervista.org/adv/evilcube-adv.txt
Whiteboard: B1 [maskglsa] DerCorny
Package list:
Runtime testing required: ---

Description Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 12:50:38 UTC 
1. The game uses an unchecked function for reading the strings from the
incoming data.
The function is sgetstr() located in cube.h:

2. sgetstr(), getint() and the instructions which call them don't check
the correct length of the input data.

3. In the Cube engine the players have the possibility to choose a
specific map on which playing, if there is only one player in the
server the map is changed immediately otherwise will be voted.
When a client tries to load an invalid map file it exits immediately
showing the "while reading map: header malformatted" error.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 12:53:32 UTC 
according to the advisory, upstream wont fix this - games team, what do you want to do here? build own patch or wait if others provide one, mask or remove completely?
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-03-06 13:18:05 UTC 
Package masked.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 15:28:08 UTC 
*** Bug 125305 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-07 07:43:39 UTC 
mhhh, do we need a masking GLSA here? I assume that cube is present on less than 1/20 of the gentoo installs so policy doesnt force a GLSA. But what do you think?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-03-07 10:16:51 UTC 
Yes a maskGLSA is needed, since this allows remote code execution against game server.
Comment 6 Fredric Johansson 2006-03-11 05:08:33 UTC 
Does these vulnerablities applies to all verions of cube even the newest?
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-11 05:16:13 UTC 
At least it affects all versions in portage (which are probably the newest from upstream). As said in the advisory, upstream does not plan to release an update so better dont wait for one.
Comment 8 SpanKY gentoo-dev 2006-03-11 10:17:34 UTC 
we could patch the source code ourselves, but the only client that works with official multiplayer servers is the binary-only client :/
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-12 16:28:17 UTC 
GLSA 200603-10

As usual, I keep the bug as enhancement so that we dont forget about this.
Comment 10 Mr. Bones. (RETIRED) gentoo-dev 2007-03-20 02:56:35 UTC 
I removed it from portage since games-fps/sauerbraten (aka Cube2) is in portage.
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-04-04 23:00:18 UTC 
confirmed that cube is gone from portage - Thanks Mr. Bones.  Closing!