Bug 190835 (CVE-2007-4642)

Summary:	games-fps/doomsday < 1.9.0-beta5.2 Multiple Vulnerabilities (CVE-2007-{4642,4643,4644})
Product:	Gentoo Security	Reporter:	Matt Fleming (RETIRED) <mjf>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	dark.knight.ita, games, gengor, main.haarp, neoannagul, sattva, scen
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/26524/
Whiteboard:	B1 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	188895

Description Matt Fleming (RETIRED) gentoo-dev

2007-08-31 00:25:12 UTC

Luigi Auriemma has reported some vulnerabilities in Doomsday, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) A boundary error exists within the "D_NetPlayerEvent()" function in d_net.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server.

Successful exploitation may allow the execution of arbitrary code on the game server and the connected clients.

2) A boundary error exists within the "Msg_Write()" function in net_msg.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server.

3) An integer underflow error exists within the "Sv_HandlePacket()" in sv_main.c when processing chat messages. This can be exploited to trigger a failure to allocate required memory, which leads to a DoS.

4) A boundary error exists within the "NetSv_ReadCommands()" function in d_netsv.c when processing client commands. This can be exploited to overflow a static buffer by sending more than 30 commands to the affected server.

5) A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages.

NOTE: An error in the processing of chat messages may leave a string without a NULL character at the end. This may trigger other vulnerabilities.

The vulnerabilities are reported in version 1.9.0-beta5.1 and prior. Other versions may also be affected.

Comment 1 Matt Fleming (RETIRED) gentoo-dev

2007-08-31 00:27:04 UTC

CC'ing herd and setting whiteboard status.

Comment 2 Mr. Bones. (RETIRED) gentoo-dev

2007-08-31 00:45:35 UTC

masked

Comment 3 Davide Cendron (RETIRED) gentoo-dev

2007-09-27 18:44:46 UTC

The security issues seems to be solved in the security update 1.9.0_beta5.2 release (what a horrible versioning scheme *_* )

http://sourceforge.net/forum/forum.php?forum_id=736045

Is it sufficient to update the ebuild, right?

Comment 4 Mr. Bones. (RETIRED) gentoo-dev

2007-11-23 20:46:55 UTC

Should be fixed in beta5.2 which I just put into portage.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2007-12-04 01:11:31 UTC

You can remove the p.mask on this ebuild then.

doomsday-1.9.0_beta4 was stable before masking, so to not introduce version regrssions, this should go stable too. Bones, what do you think about stabling 5.2?

Comment 6 Mr. Bones. (RETIRED) gentoo-dev

2007-12-04 02:11:32 UTC

sounds good to me.  I went ahead on that.

Comment 7 Davide Cendron (RETIRED) gentoo-dev

2007-12-04 08:01:12 UTC

(In reply to comment #5)
> You can remove the p.mask on this ebuild then.
> 
> doomsday-1.9.0_beta4 was stable before masking, so to not introduce version
> regrssions, this should go stable too. Bones, what do you think about stabling
> 5.2?

I suggest to *NOT* mark as stable this version, because it still contains several bugs, one of which has been reported in this [1] Gentoo Forums topic; see also the linked Doomsday bug report [2] (and IMHO this bug is quite annoying)

I've also the bad sensation that the future of the development of this engine wouldn't be so shiny... [3] :(

[1] http://forums.gentoo.org/viewtopic-t-622382.html
[2] http://sourceforge.net/tracker/index.php?func=detail&aid=1807891&group_id=74815&atid=542099
[3] http://www.dengine.net/blog/?p=113#comment-1993

Comment 8 Mr. Bones. (RETIRED) gentoo-dev

2007-12-04 08:06:19 UTC

Yeah, welcome to the world of opensource games.  It's better then the previously stabled versions so I'm ok with the current state.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2007-12-06 00:50:41 UTC

glsa request filed.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2007-12-23 23:19:09 UTC

Upstream confirmed that CVE-2007-4644 was not fixed by the update.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-05 07:00:58 UTC

Either this bug should go back into upstream status or we should open another bug for CVE-2007-4644 and release the (corrected) GLSA.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-15 21:21:44 UTC

Mr. Bones the most serious issue never got fixed. Please mask it again until we get a fixed version.

Comment 13 Mr. Bones. (RETIRED) gentoo-dev

2008-01-15 21:48:40 UTC

done.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-16 07:54:08 UTC

Thx.

Comment 15 timofonic 2008-01-26 01:15:18 UTC

Any news about this? 


 * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) https://bugs.gentoo.org/show_bug.cgi?id=190835)


So when will this will be removed?

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-01-28 11:03:33 UTC

(In reply to comment #15)
> Any news about this? 
> 
>  * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository
> (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett
> <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835)
> https://bugs.gentoo.org/show_bug.cgi?id=190835)
> 
> So when will this will be removed?
> 
why should it be removed? the mask is here to remind users that this game is currently vulnerable. If upstream releases a new version fixing this issue, it should be unmasked again.

Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-06 22:18:21 UTC

And GLSA 200802-02, sorry for the delay.

Comment 18 Robert Buchholz (RETIRED) gentoo-dev

2008-02-07 12:04:20 UTC

mask glsa is not a fix, is it?

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-10 14:12:45 UTC

We usually leave it open until the ebuild is purged or unmasked and GLSA rereleased.

Comment 20 impogarbage 2008-06-01 01:08:07 UTC

1.9.0_beta52 is unplayable because of corrupted player control system.

So 1.9.0_beta51 shoud be returned to portage...

Comment 21 haarp 2008-11-06 03:07:58 UTC

Upstream pulled beta5.2. It should be remove from Portage, for playability and security reasons.
As an alternative, I created Attachment 170876 [details] (also see bug 188895). This uses the same SVN sources that are also used to build the Ubuntu packages and should fix all vulnerabilites, *except* one:

>  A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages.

An dev noted: "I could only ever trigger a DoS with this, no arbitrary code running".

It should also work on AMD64 now.

Comment 22 Mr. Bones. (RETIRED) gentoo-dev

2008-11-06 06:23:06 UTC

It's currently masked.  That's good enough.  We'll just pick up their next release.

Comment 23 Brandon Captain 2009-04-02 15:26:45 UTC

1.9-beta6.1 has just been released

http://www.doomsdayhq.com/

Comment 24 Tristan Heaven (RETIRED) gentoo-dev

2009-05-27 13:38:51 UTC

Bumped to 1.9-beta6.2 but I don't know if it's fixed.

Comment 25 Mr. Bones. (RETIRED) gentoo-dev

2009-11-10 16:44:38 UTC

doomsday-1.9.0_beta52 is gone.  I've removed the entry from package.mask.

Comment 26 Chris Reffett (RETIRED) gentoo-dev

2013-09-03 01:58:14 UTC

Affected version long gone. noglsa.