Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125289 - games-fps/cube: multiple vulns
Summary: games-fps/cube: multiple vulns
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/evil...
Whiteboard: B1 [maskglsa] DerCorny
Keywords:
: 125305 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-06 12:50 UTC by Stefan Cornelius (RETIRED)
Modified: 2007-04-04 23:00 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 12:50:38 UTC
1. The game uses an unchecked function for reading the strings from the
incoming data.
The function is sgetstr() located in cube.h:

2. sgetstr(), getint() and the instructions which call them don't check
the correct length of the input data.

3. In the Cube engine the players have the possibility to choose a
specific map on which playing, if there is only one player in the
server the map is changed immediately otherwise will be voted.
When a client tries to load an invalid map file it exits immediately
showing the "while reading map: header malformatted" error.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 12:53:32 UTC
according to the advisory, upstream wont fix this - games team, what do you want to do here? build own patch or wait if others provide one, mask or remove completely?
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-03-06 13:18:05 UTC
Package masked.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-06 15:28:08 UTC
*** Bug 125305 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-07 07:43:39 UTC
mhhh, do we need a masking GLSA here? I assume that cube is present on less than 1/20 of the gentoo installs so policy doesnt force a GLSA. But what do you think?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-03-07 10:16:51 UTC
Yes a maskGLSA is needed, since this allows remote code execution against game server.
Comment 6 Fredric Johansson 2006-03-11 05:08:33 UTC
Does these vulnerablities applies to all verions of cube even the newest?
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-11 05:16:13 UTC
At least it affects all versions in portage (which are probably the newest from upstream). As said in the advisory, upstream does not plan to release an update so better dont wait for one.
Comment 8 SpanKY gentoo-dev 2006-03-11 10:17:34 UTC
we could patch the source code ourselves, but the only client that works with official multiplayer servers is the binary-only client :/
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-12 16:28:17 UTC
GLSA 200603-10

As usual, I keep the bug as enhancement so that we dont forget about this.
Comment 10 Mr. Bones. (RETIRED) gentoo-dev 2007-03-20 02:56:35 UTC
I removed it from portage since games-fps/sauerbraten (aka Cube2) is in portage.
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-04-04 23:00:18 UTC
confirmed that cube is gone from portage - Thanks Mr. Bones.  Closing!