Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 381799 (CVE-2011-3341)

Summary: <games-simulation/openttd-1.1.3 Multiple Vulnerabilities (CVE-2010-4168,CVE-2011-{3341,3342,3343})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: games, mr_bones_
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/09/02/4
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Sean Amoss (RETIRED) gentoo-dev Security 2011-09-04 16:49:48 UTC
the OpenTTD team and contributors have discovered several security
vulnerabilities in OpenTTD. Please be so kind to allocate a CVE id for
each of the issues detailed below:

1.) Denial of service via improperly validated commands

In multiple places in-game commands are not properly validated that allow
remote attackers to cause a denial of service (crash) and possibly execute
arbitrary code via unspecified vectors.

Vulnerability is present since 0.3.5 and will be fixed in the upcoming
1.1.3 release. Issue report at http://bugs.openttd.org/task/4745

2.) Buffer overflows in savegame loading

In multiple places indices in savegames are not properly validated that
allow (remote) attackers to cause a denial of service (crash) and possibly
execute arbitrary code via unspecified vectors.

Vulnerability is present since 0.1.0 and will be fixed in the upcoming
1.1.3 release. Issue reports at http://bugs.openttd.org/task/4717 and
http://bugs.openttd.org/task/4748

3.) Multiple buffer overflows in validation of external data

In multiple places external data from the local file system isn't properly
checked before allocating memory, which could lead to buffer overflows and
arbitrary code execution.

Vulnerability is present since 0.3.4 and will be fixed in the upcoming
1.1.3 release. Issue reports at http://bugs.openttd.org/task/4746 and
http://bugs.openttd.org/task/4747


Once the CVE ids are allocated, each issue will be fully documented at
http://security.openttd.org/en/CVE-2011-xxxx

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2011-09-15 23:44:34 UTC
*** Bug 383163 has been marked as a duplicate of this bug. ***
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-15 23:47:33 UTC
Arches, please test and mark stable:

=games-simulation/openttd-1.1.3
target KEYWORDS : "amd64 ppc x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-16 01:38:01 UTC
amd64: pass
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-16 05:00:55 UTC
Archtested on x86: Everything fine except for the fact that i seem to have to have forgotten how to play TTD. :)
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-16 10:08:29 UTC
amd64 ok
Comment 6 Tony Vroon gentoo-dev 2011-09-16 12:06:08 UTC
+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> openttd-1.1.3.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino Sarubbo in security bug #381799 filed by Sean Amoss.
Comment 7 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-17 22:01:32 UTC
x86 stable, thanks JD
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-27 17:28:14 UTC
never stable on ppc, last arch done
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2011-09-27 19:01:44 UTC
Thanks everyone. Tim, can you please add to GLSA request?
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 19:20:45 UTC
(In reply to comment #9)
> Thanks everyone. Tim, can you please add to GLSA request?

Yep, request filed. Thanks, Sean, folks.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:31:44 UTC
CVE-2011-3343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3343):
  Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to cause
  a denial of service (daemon crash) or possibly gain privileges via (1) a
  crafted BMP file with RLE compression or (2) crafted dimensions in a BMP
  file.

CVE-2011-3342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3342):
  Multiple buffer overflows in OpenTTD before 1.1.3 allow remote attackers to
  cause a denial of service (daemon crash) or possibly execute arbitrary code
  via vectors related to (1) NAME, (2) PLYR, (3) CHTS, or (4) AIPL (aka AI
  config) chunk loading from a savegame.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 23:46:10 UTC
CVE-2011-3341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3341):
  Multiple off-by-one errors in order_cmd.cpp in OpenTTD before 1.1.3 allow
  remote attackers to cause a denial of service (daemon crash) or possibly
  execute arbitrary code via a crafted CMD_INSERT_ORDER command.

CVE-2010-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4168):
  Multiple use-after-free vulnerabilities in OpenTTD 1.0.x before 1.0.5 allow
  (1) remote attackers to cause a denial of service (invalid write and daemon
  crash) by abruptly disconnecting during transmission of the map from the
  server, related to network/network_server.cpp; (2) remote attackers to cause
  a denial of service (invalid read and daemon crash) by abruptly
  disconnecting, related to network/network_server.cpp; and (3) remote servers
  to cause a denial of service (invalid read and application crash) by forcing
  a disconnection during the join process, related to network/network.cpp.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-11-11 22:04:28 UTC
This issue was resolved and addressed in
 GLSA 201111-03 at http://security.gentoo.org/glsa/glsa-201111-03.xml
by GLSA coordinator Tim Sammut (underling).