Summary: | games-strategy/scorched3d-36.2: format string crashes server and client | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | FieldySnuts <sgtphou> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | games |
Priority: | High | Flags: | koon:
Assigned_To?
(koon) |
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | incomplete-bounds-checking.diff |
Description
FieldySnuts
2004-01-24 19:19:40 UTC
unless it's exploitable theres no need for security to be involved is this known upstream ? I do not know if upstream is aware of this. Also, I don't know if this accomplishes anything but I recompiled it with -fstack-protector in CFLAGS , which is supposed to turn on propolice in GCC. Game runs fine, however still crashes as above. Perhaps this alieviates real security problems that may stem from this? Just guessing. I'm adding security back in because this is exploitable. Read paragraph 2, Mike, please... i dont see anything anywhere that says 'exploitable' ... DoS (crashing the server and punting the clients) is not GLSA worthy ... so what am i missing ? :p The %n is format string is what leads to heap overflows. There have been quite a number of papers published on this subject. I've unpacked the scorched3d source and took a peek and I got to say there are quite a few potential attack vectors in it. Code such as printf(foo); often indicates a bug, since foo may contain a % character. If foo comes from untrusted user input, it may contain %n, causing the printf call to write to memory and creating a security hole. In theory sending a carefully crafted (perhaps udp) packet to somebody connected to a scorched3d server could cause remote clients to crash or even execute arbitrary code. Created attachment 24409 [details, diff]
incomplete-bounds-checking.diff
More auditing needs to be done.
untested and incomplete patch by itself. It's a start for anybody interested in
adding basic bounds checking.
i got a reply back from the author and he said he'll tackle it: Thanks for the e-mail. I will fix that, should be fairly easily done. I should have thought of it really :). I have also seen the patch on the link you sent, although snprintf would be a good idea, there is no equivalent on windows. This may not be so easily done. games-strategy/scorched3d-37 is in portage a glsa can go out now Changing product to GLSA GLSA on its way GLSA 200404-12 |