Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 128690 - games-fps/doomsday format string vulnerability (CVE-2006-1618)
Summary: games-fps/doomsday format string vulnerability (CVE-2006-1618)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-03 13:54 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-06-14 21:16 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Plug buffer overflows. Not even compile-tested. (1.patch,8.29 KB, patch)
2006-04-07 08:22 UTC, Alexey Dobriyan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-03 13:54:38 UTC
Versions:     <= 1.8.6 (and current SVN 1.9.0)
Platforms:    Windows, *nix, *BSD, Mac and others
Bug:          format string bug in Con_Message and Con_Printf
Exploitation: remote, versus server and clients
Date:         03 Apr 2006
Author:       Luigi Auriemma
Source : full-disc


Bug (from full-disc) :


--- begin of quotation ---
The Doomsday engine contains many functions used for the visualization
of the messages in the console.
Both Con_Message and conPrintf are vulnerable to a format string
vulnerability which could allow an attacker to execute malicious code
versus the server or the clients.
The first function calls a "Con_Printf(buffer)" while the second one
calls a "SW_Printf(prbuff)" if SW_IsActive is enabled (which means
ever).

>From Src/con_main.c:

void Con_Message(const char *message, ...)
{
        va_list argptr;
        char   *buffer;

        if(message[0])
        {
                buffer = malloc(0x10000);

                va_start(argptr, message);
                vsprintf(buffer, message, argptr);
                va_end(argptr);

#ifdef UNIX
                if(!isDedicated)
                {
                        // These messages are supposed to be visible in the real console.
                        fprintf(stderr, "%s", buffer);
                }
#endif

                // These messages are always dumped. If consoleDump is set,
                // Con_Printf() will dump the message for us.
                if(!consoleDump)
                        printf("%s", buffer);

                // Also print in the console.
                Con_Printf(buffer);

                free(buffer);
        }
        Con_DrawStartupScreen(true);
}

...

void conPrintf(int flags, const char *format, va_list args)
{
        unsigned int i;
        int     lbc;                            // line buffer cursor
        char   *prbuff, *lbuf = malloc(maxLineLen + 1);
        cbline_t *line;

        if(flags & CBLF_RULER)
        {
                Con_AddRuler();
                flags &= ~CBLF_RULER;
        }

        // Allocate a print buffer that will surely be enough (64Kb).
        // FIXME: No need to allocate on EVERY printf call!
        prbuff = malloc(65536);

        // Format the message to prbuff.
        vsprintf(prbuff, format, args);

        if(consoleDump)
                fprintf(outFile, "%s", prbuff);
        if(SW_IsActive())
                SW_Printf(prbuff);
    ...


--- end ---
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-03 13:58:45 UTC
no upstream update still available on http://www.doomsdayhq.com/files.php?class=1
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-04-03 16:28:58 UTC
package masked
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-03 16:37:21 UTC
very fast!

masking-GLSA decision ?

poor gamers... :'(
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-03 21:58:17 UTC
If it's a B1 we should issue a masking GLSA.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-05 09:10:03 UTC
OK. Jaervosz, i'm sure you wand to draft the GLSA :)
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-05 09:56:22 UTC
It's already in GLSAmaker :P
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-06 00:09:43 UTC
GLSA sent by DerCorny, thanks to everybody, sorry for the gamers.

The bug goes in enhancement, pending resolution.
Comment 8 Florian Westphal 2006-04-06 09:28:57 UTC
Why wasn't this fixed prior to GLSA instead of masking this?
Judging by Luigi Auriemmas advisory the fix is trivial.
Is there more to this than described here?
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-07 00:27:25 UTC
Nobody is happy with a mask, but you should take into account that this game doesnt seem to be supported by upstream anymore, so basically it was already dead before this issue came up. Altough the fix might not be technically challenging, it will take valuable time to implement and test it - do you really think that we should waste our resources on dead things?
Comment 10 Alexey Dobriyan 2006-04-07 08:22:30 UTC
Created attachment 84133 [details, diff]
Plug buffer overflows. Not even compile-tested.

How much people use it? I mean does it make sense to read through this junk
more carefully?
Comment 11 Florian Westphal 2006-04-07 10:04:31 UTC
(In reply to comment #9)
> doesnt seem to be supported by upstream anymore, so basically it was already
> dead before this issue came up. Altough the fix might not be technically
> challenging, it will take valuable time to implement and test it - do you
> really think that we should waste our resources on dead things?

Yes, if the fix is obvious and no replacement exists.

No,
a) ..if the fix is too complicated/difficult and/or
b) ..a (brief) look at affected code sections
   shows that its too ugly/bug-ridden anyway.

IMO it would be a good idea to state the reason for masking
(Code looks suspicious; Unmaintained/Upstream dead, etc.) in future GLSAs.

As for "Upstream is dead": The last svn check in was (at this time of writing) 19 hours ago.... will try to contact them.
Comment 12 Florian Westphal 2006-04-09 08:58:38 UTC
(In reply to comment #11)
> As for "Upstream is dead": The last svn check in was (at this time of writing)
> 19 hours ago.... will try to contact them. 

Fixed in svn. Don't know when a new release will be made, though.
Comment 13 Yagisan 2006-04-17 09:37:11 UTC
Upstream for this is alive and well. You are aware that gentoo isn't even using the current release right ? Current release is 1.9.0beta3, and that was released a long time ago http://prdownloads.sourceforge.net/deng/deng-1.9.0-beta3.tar.gz?download , Perhaps it would be an idea for a gentoo maintainer to keep in contact with upstream (or other distro maintainers), or at the very least, follow progress here http://deng.sourceforge.net/blog/.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-17 10:20:34 UTC
Yeah, I'm happy to see that I was wrong about thinking that upstream is dead. But betas are usually hardmasked, too - so this won't help a lot here.Games team, upstream accepted a slightly edited version of the patch Alexey provided, what do you think about patching and revbumping?
Comment 15 Yagisan 2006-04-17 15:19:47 UTC
My personal option, (as the guy that has been preparing packages for ubuntu), is that the bump to 1.9.0beta3 solves more bugs then it causes. The new memory management system takes care of the most common, out of memory errors users report.

Also, I'd like to thank you for doing a security audit on doomsday in the first place.
Comment 16 SpanKY gentoo-dev 2006-04-21 23:12:52 UTC
1.9.0_beta3 now in portage
Comment 17 SpanKY gentoo-dev 2006-04-21 23:14:15 UTC
... which doesnt help as it doesnt contain the fix :)

can someone cut the patch from current svn for me to integrate please ?
Comment 18 Yagisan 2006-05-14 06:15:55 UTC
It is known fixed as of svn 3153. Either backport changes, or wait for beta4.
Comment 19 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-14 08:02:03 UTC
We'll just wait.  Thanks.
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-30 15:57:59 UTC
Thanks Yagisan.

Games team , can you bump it please ?
Comment 22 Mr. Bones. (RETIRED) gentoo-dev 2006-05-30 18:25:23 UTC
Security team, please do what ever security stuff you need to do and reassign to games for the version bump.  Thanks.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-30 20:40:44 UTC
Games team, please bump or comment why not to do it.

Normal procedure is not to reassign but to cc maintainers/arches.
Comment 24 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-31 15:02:34 UTC
This is in progress...
Comment 25 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-31 16:32:57 UTC
A new ebuild has just been submitted into the tree.  You'll want the ppc team to stabilize it.  I've stabilized it on x86.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-01 00:03:53 UTC
great, let's go
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-01 21:58:00 UTC
ppc stable
Comment 28 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 03:14:22 UTC
Thanks to all. This one is ready for GLSA
Comment 29 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 03:30:02 UTC
sec team, i don't know yet how to handle final GLSAs after a temp GLSA. I let you act here.
Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-07 14:33:07 UTC
> sec team, i don't know yet how to handle final GLSAs after a temp GLSA. I let
> you act here.
> 

Jaervosz, Koon or DerCorny, or another security dev, please help us drafting/sending a GLSA update for doomsday (or whatever is appropriate here). Thanks in advance
Comment 31 frilled 2006-06-07 15:05:57 UTC
jaervosz committed himself to do this .-)
Comment 32 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 22:16:31 UTC
I'll do it, hopefully in the evening.
Comment 33 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 14:18:39 UTC
(In reply to comment #32)
> I'll do it, hopefully in the evening.
> 

Sune, please, oh please... (and don't forget to delete the bogus doomsday entry in glsamaker, thanks in advance)
Comment 34 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 02:27:12 UTC
Raphael, I've been too busy and forgot. Please prod me tonight and I'll fix it (can't send from work).
Comment 35 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 11:39:00 UTC
/me pick up his coredump and stuffs it back in: We don't issue unmask GLSAs. I've fixed it in GLSAmaker, Raphael could you review and I'll commit it.
Comment 36 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-14 12:59:38 UTC
Thanks Sune for the precision

############################################
Workaround:
There is no known workaround at this time.

There is no known workaround at this time.
############################################

Except that, it's ok.

I close that bug now
Comment 37 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 21:16:25 UTC
Thx Raphael for spotting that double boilerplate blunder. In CVS now.