Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 131010 - games-simulation/openttd: remote DoS against client and server (CVE-2006-199[89])
Summary: games-simulation/openttd: remote DoS against client and server (CVE-2006-199[...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B3 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-23 12:28 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-09-06 09:54 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-23 12:28:02 UTC
Both bugs are mentionned in http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0639.html . There are both fixed in SVN http://www.openttd.org/nightly.php

-----------------------------------------------
A] program termination through big error number
-----------------------------------------------

Both client and server handle a type of command (PACKET_SERVER_ERROR
and PACKET_CLIENT_ERROR) for the visualization of some pre-built errors
in the console.
The problem happens when an attacker sends an invalid big error number
(8 bit) which forces the program to terminate spontaneously through the
usage of the error() function.
The bug is exploitable only in-game so the attacker must have access to
the server: his IP must not be banned, he must know the password if it
has been set and the server must not be full.
>From strings.c:

char *GetStringWithArgs(char *buffr, uint string, const int32 *argv)
{
        uint index = GB(string,  0, 11);
        uint tab   = GB(string, 11,  5);

    ...

        if (index >= _langtab_num[tab]) {
                error(
                        "!String 0x%X is invalid. "
                        "Probably because an old version of the .lng file.\n", string
                );
        }

        return FormatString(buffr, GetStringPtr(GB(string, 0, 16)), argv, GB(string, 24, 8));
}


------------------------------------------------------
B] broadcast clients disconnection in multiplayer menu
------------------------------------------------------

Clients are affected by an harmless bug when they handle UDP packets.
The first 2 bytes of each UDP packet are a 16 bit number which
specifies the size of the packet.
If this value in a received packet is invalid (for example too small)
the client returns immediately to the main menu.
This bug becomes problematic when a malicious server visible in the
master server list sends invalid replies to the queries sent from the
clients which want to play online and will be no longer able to do it
due to the returning to the main menu.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-23 13:18:40 UTC
Our stable ebuild (0.4.0.1-r1) is NOT affected by bug A. (it does not contain the quoted extract of code, from strings.c). Consequently, no GLSA will be issued for this vuln.
I can't say if we are vulnerable to bug B : security team or game team, please advise :)

Our ~arch ebuild (0.4.7) seems to be vulnerable to bug A. (it contains the quoted extract of code, from strings.c)

In all cases, the current SVN is known to be patched, but i can't isolate the good patches.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-04-23 15:42:41 UTC
Be sure to cc the maintainer for stuff like this.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:10:37 UTC
David, please advise
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-05-09 10:17:53 UTC
David seems to be MIA, games team might have an opinion on what to do on this one ?
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-29 12:21:15 UTC
I've masked 0.4.7 and up, but would really think the best solution for us, as the "backup" for the maintainer, is to wait for the next version.  Has anyone verified if we are/are not vulnerable to bug B with the current stable?
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 08:32:18 UTC
masked, setting to enhancement status.

Let's have a vote about a temp maskingglsa: voting no here.
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-05-30 08:39:03 UTC
Voting "no", too.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 09:24:19 UTC
policy says no maskglsa for a B3
Comment 9 Lars Weiler (RETIRED) gentoo-dev 2006-06-01 09:51:48 UTC
I added those versions of openttd to portage.  dholm gave his okay to me.  So let me be responsible for further actions on this bug.
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-08-06 13:21:23 UTC
could somebody responsible please adjust the package.mask to say that only 0.4.7 is blocked. 0.4.8_rc* do contain the fixes.
Comment 11 Chris Gianelloni (RETIRED) gentoo-dev 2006-08-09 08:27:02 UTC
Done.
Comment 12 Lars Weiler (RETIRED) gentoo-dev 2006-08-14 01:55:39 UTC
openttd-0.4.8 is out and in portage.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-16 02:09:50 UTC
OK we should try to test and stabilize it since there are probably some of our users who haven't unmerged the vulnerable ebuild.

Arches, please could you test and stabilize one of the "-0.4.8(_rc.)?" ebuilds ?
Comment 14 Andrej Kacian (RETIRED) gentoo-dev 2006-08-16 02:18:16 UTC
I don't feel very comfortable with stabilizing release candidates, especially if they're unofficial. Is 0.4.8 ready for stable, or is that not an option?
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-16 02:30:17 UTC
> Is 0.4.8 ready for stable, 

i think so


> or is that not an option?

-0.4.8 is matched by "-0.4.8(_rc.)?" :)
 

Comment 16 Lars Weiler (RETIRED) gentoo-dev 2006-08-16 02:37:08 UTC
(In reply to comment #14)
> Is 0.4.8 ready for stable, or is that not an option?

From my point of view it's ready for stable.  But it's in portage for just two days now.
Comment 17 Simon Stelling (RETIRED) gentoo-dev 2006-08-16 05:14:10 UTC
> > Is 0.4.8 ready for stable, or is that not an option?
> 
> From my point of view it's ready for stable.  But it's in portage for just two
> days now.

We stablized tons of software only one or two days or even hours after it was put in the tree if it fixed a security issue. Also, this is a game and not a core package, so it shouldn't be such a problem, should it? :) 
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2006-08-16 05:18:46 UTC
[ebuild  N    ] games-simulation/openttd-0.4.8  USE="alsa png scenarios zlib -debug -dedicated -timidity" 

1) emerges fine
2) passes collision test
3) I don't have the original game, so I cannot play it

Portage 2.1-r2 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r4 i686)
=================================================================
System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.4
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd test theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 19 Joshua Jackson (RETIRED) gentoo-dev 2006-08-16 20:23:31 UTC
*poof x86* ^.^;;
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2006-08-18 08:50:45 UTC
ppc stable
Comment 21 Thomas Cort (RETIRED) gentoo-dev 2006-08-18 15:25:46 UTC
amd64 stable.
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-21 01:09:46 UTC
Thanks arches,

it's time to make a glsa decision.

i vote yes because of the server-side DoS .
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-21 11:20:18 UTC
I tend to vote no.
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-28 02:48:40 UTC
heya sec team, holidays have finished, please vote :)
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 05:56:48 UTC
Security, please vote.
Comment 26 Kurt Lieber (RETIRED) gentoo-dev 2006-09-05 06:01:32 UTC
if this really is a server side DoS, then I'd vote for a glsa.
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 06:05:33 UTC
Two YES votes, then lets have a GLSA.
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-06 09:54:19 UTC
GLSA 200609-03

Remailed (again) to FD due to DNS failure.