------------------------------------- A] buffer-overflow in recvTextMessage ------------------------------------- recvTextMessage is the function used by the server for handling the text messages sent by the clients. This function uses the msg buffer, which has a size of 256 (MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to send to all the other clients using the following format: player_name : message The size of the data block can be max 8000 (MaxMsgSize) bytes so an attacker can cause a buffer-overflow for crashing the server or executing malicious code. From src/multiplay.c: BOOL recvTextMessage(NETMSG *pMsg) { DPID dpid; UDWORD i; STRING msg[MAX_CONSOLE_STRING_LENGTH]; NetGet(pMsg,0,dpid); for(i = 0; NetPlay.players[i].dpid != dpid; i++); //findplayer strcpy(msg,NetPlay.players[i].name); // name strcat(msg," : "); // seperator strcat(msg, &(pMsg->body[4])); ... --------------------------------- B] buffer-overflow in NETrecvFile --------------------------------- The NETrecvFile function used by the clients for downloading remote files is affected by a buffer-overflow caused by the copying of a string of max 255 bytes in the fileName buffer of only 128 bytes. From lib/netplay/netplay.c: UBYTE NETrecvFile(NETMSG *pMsg) { UDWORD pos, fileSize, currPos, bytesRead; char fileName[128]; unsigned int len; static PHYSFS_file *pFileHandle; //read incoming bytes. NetGet(pMsg,0,fileSize); NetGet(pMsg,4,bytesRead); NetGet(pMsg,8,currPos); // read filename len = (unsigned int)(pMsg->body[12]); memcpy(fileName,&(pMsg->body[13]),len); ... http://aluigi.altervista.org/adv/warzonebof-adv.txt
This one looks more serious. Anything upstream ?
package masked.
Thx Mr. Bones. This one is ready for a masking GLSA.
GLSA 200608-16
Is there a chance for me to get notified of such bugs directly when they pop up? I am a Warzone dev and would like to know when bugs appear in my game.
One way would be to set your Bugzilla account to watch security@gentoo.org and filter on the email subject where warzone should appear.
fixed version in portage. removed from package.mask.
It appears to me that this should be ~1 instead of B1, was this ever stable?
(In reply to comment #8) > was this ever stable? no
Seems like the B rating was wrong then. GLSA updated. I think we should just close this one now. Comments?
Are there still issues??? We just released 2.0.5 and haven't heard of any problems since a long while...
Just waiting for the security team to close I imagine.
Closing and Happy New Year everyone.