|Summary:||games-fps/alephone Server DoS (CVE-2006-6663 CVE-2006-6664)|
|Product:||Gentoo Security||Reporter:||Executioner <keith>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||159132|
Description Executioner 2007-01-14 19:39:50 UTC
Vulnerable Systems: * Marathon Aleph One versions released before 16 Dec 2006 Empty connection crash: It's possible to cause the crash of the server simply doing an empty connection to it followed by a valid one (or vice versa, the cause of this bug is not clear and not investigated yet). Possible format string in the logging function: logMessageV, the function used for logging anything in the game, is vulnerable to a format string bug. The logging is enabled ONLY with log messages having a priority level minor than logNoteLevel (40) like logFatalLevel, logErrorLevel, logWarningLevel and logAnomalyLevel. Luigi has tried to search an easy way for exploiting this bug from remote but without luck so Luigi doesn't know if exist or what are the other ways (both remote and local) for doing it. Reproducible: Didn't try http://aluigi.altervista.org/adv/alephonz-adv.txt
Comment 1 Raphael Marichez (Falco) (RETIRED) 2007-01-15 23:43:22 UTC
You can start handling your bugs yourself, you know :) - setting the Severity - setting the Status Whiteboard according to our policy  - important: CCing the maintainer (/usr/portage/xx/xx/metadata.xml)  http://www.gentoo.org/security/en/vulnerability-policy.xml
Comment 2 Executioner 2007-01-16 05:14:52 UTC
Okay, will do. I wasn't quite sure how far I was supposed to take it as a scout.
Comment 3 Raphael Marichez (Falco) (RETIRED) 2007-01-17 22:39:15 UTC
(In reply to comment #2) > Okay, will do. I wasn't quite sure how far I was supposed to take it as a > scout. > No problem, you can handle the bugs you own. You're doing a great job at the moment, don't hesitate.
Comment 4 Raphael Marichez (Falco) (RETIRED) 2007-02-13 23:22:51 UTC
Hi arches, alephone-20061228 is in the tree, thanks to nyhm. Could you test it and mark stable if appropriate, please? thanks
Comment 5 Christian Faulhammer (RETIRED) 2007-02-14 07:09:08 UTC
Comment 6 Simon Stelling (RETIRED) 2007-02-14 12:42:25 UTC
I can't test this, on startup i simply get this: --- CHROOT / # /usr/games/bin/alephone Aleph One SDL linux-gnu x86_64 Feb 14 2007 http://source.bungie.org/ Original code by Bungie Software <http://www.bungie.com/> Additional work by Loren Petrich, Chris Pruett, Rhys Hill et al. TCP/IP networking by Woody Zenfell Expat XML library by James Clark SDL port by Christian Bauer <Christian.Bauer@uni-mainz.de> This is free software with ABSOLUTELY NO WARRANTY. You are welcome to redistribute it under certain conditions. For details, see the file COPYING. Built with network play enabled. FATAL: Please be sure the files 'Map', 'Shapes', 'Images' and 'Sounds' are correctly installed and try again. (error -1) --- However, the latest stable has exactly the same issue. Can someone else from the amd64 team give it a try please?
Comment 7 Chris Gianelloni (RETIRED) 2007-02-14 15:37:41 UTC
You don't run it by alephone, but alephone.sh, instead. AlephOne is only the engine, it requires data to play. We have one data ebuild in the tree already, alephone-infinity, so you can merge that, then run "alephone.sh infinity" to play^H^H^H^Htest. ;]
Comment 8 Simon Stelling (RETIRED) 2007-02-14 16:12:22 UTC
Thanks for the explanation Chris. Seems worky, marked stable.
Comment 9 Raphael Marichez (Falco) (RETIRED) 2007-02-14 20:31:13 UTC
thanks Simon and Chris, i vote mmm... i would vote a half-no.
Comment 10 Matthias Geerdsen (RETIRED) 2007-02-22 20:42:11 UTC
also tending to vote no
Comment 11 Raphael Marichez (Falco) (RETIRED) 2007-02-23 17:41:59 UTC
closing without GLSA, feel free to reopen if you disagree