Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190835 (CVE-2007-4642) - games-fps/doomsday < 1.9.0-beta5.2 Multiple Vulnerabilities (CVE-2007-{4642,4643,4644})
Summary: games-fps/doomsday < 1.9.0-beta5.2 Multiple Vulnerabilities (CVE-2007-{4642,4...
Status: RESOLVED FIXED
Alias: CVE-2007-4642
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26524/
Whiteboard: B1 [noglsa]
Keywords:
Depends on:
Blocks: 188895
  Show dependency tree
 
Reported: 2007-08-31 00:25 UTC by Matt Fleming (RETIRED)
Modified: 2013-09-03 01:58 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-31 00:25:12 UTC
Luigi Auriemma has reported some vulnerabilities in Doomsday, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) A boundary error exists within the "D_NetPlayerEvent()" function in d_net.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server.

Successful exploitation may allow the execution of arbitrary code on the game server and the connected clients.

2) A boundary error exists within the "Msg_Write()" function in net_msg.c when processing chat messages. This can be exploited to overflow a global buffer by sending an overly long chat message to the affected server.

3) An integer underflow error exists within the "Sv_HandlePacket()" in sv_main.c when processing chat messages. This can be exploited to trigger a failure to allocate required memory, which leads to a DoS.

4) A boundary error exists within the "NetSv_ReadCommands()" function in d_netsv.c when processing client commands. This can be exploited to overflow a static buffer by sending more than 30 commands to the affected server.

5) A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages.

NOTE: An error in the processing of chat messages may leave a string without a NULL character at the end. This may trigger other vulnerabilities.

The vulnerabilities are reported in version 1.9.0-beta5.1 and prior. Other versions may also be affected.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-31 00:27:04 UTC
CC'ing herd and setting whiteboard status.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2007-08-31 00:45:35 UTC
masked
Comment 3 Davide Cendron (RETIRED) gentoo-dev 2007-09-27 18:44:46 UTC
The security issues seems to be solved in the security update 1.9.0_beta5.2 release (what a horrible versioning scheme *_* )

http://sourceforge.net/forum/forum.php?forum_id=736045

Is it sufficient to update the ebuild, right?
Comment 4 Mr. Bones. (RETIRED) gentoo-dev 2007-11-23 20:46:55 UTC
Should be fixed in beta5.2 which I just put into portage.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 01:11:31 UTC
You can remove the p.mask on this ebuild then.

doomsday-1.9.0_beta4 was stable before masking, so to not introduce version regrssions, this should go stable too. Bones, what do you think about stabling 5.2?
Comment 6 Mr. Bones. (RETIRED) gentoo-dev 2007-12-04 02:11:32 UTC
sounds good to me.  I went ahead on that.
Comment 7 Davide Cendron (RETIRED) gentoo-dev 2007-12-04 08:01:12 UTC
(In reply to comment #5)
> You can remove the p.mask on this ebuild then.
> 
> doomsday-1.9.0_beta4 was stable before masking, so to not introduce version
> regrssions, this should go stable too. Bones, what do you think about stabling
> 5.2?

I suggest to *NOT* mark as stable this version, because it still contains several bugs, one of which has been reported in this [1] Gentoo Forums topic; see also the linked Doomsday bug report [2] (and IMHO this bug is quite annoying)

I've also the bad sensation that the future of the development of this engine wouldn't be so shiny... [3] :(

[1] http://forums.gentoo.org/viewtopic-t-622382.html
[2] http://sourceforge.net/tracker/index.php?func=detail&aid=1807891&group_id=74815&atid=542099
[3] http://www.dengine.net/blog/?p=113#comment-1993
Comment 8 Mr. Bones. (RETIRED) gentoo-dev 2007-12-04 08:06:19 UTC
Yeah, welcome to the world of opensource games.  It's better then the previously stabled versions so I'm ok with the current state.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 00:50:41 UTC
glsa request filed.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-12-23 23:19:09 UTC
Upstream confirmed that CVE-2007-4644 was not fixed by the update.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-05 07:00:58 UTC
Either this bug should go back into upstream status or we should open another bug for CVE-2007-4644 and release the (corrected) GLSA.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-15 21:21:44 UTC
Mr. Bones the most serious issue never got fixed. Please mask it again until we get a fixed version.
Comment 13 Mr. Bones. (RETIRED) gentoo-dev 2008-01-15 21:48:40 UTC
done.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-16 07:54:08 UTC
Thx.
Comment 15 timofonic 2008-01-26 01:15:18 UTC
Any news about this? 


 * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835) https://bugs.gentoo.org/show_bug.cgi?id=190835)


So when will this will be removed?
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-28 11:03:33 UTC
(In reply to comment #15)
> Any news about this? 
> 
>  * games-fps/doomsday-1.9.0_beta52:0::gentoo: Masked by repository
> (/var/paludis/repositories/gentoo/profiles/package.mask: Michael Sterrett
> <mr_bones_@gentoo.org> (15 Jan 2008) Security mask (bug #190835)
> https://bugs.gentoo.org/show_bug.cgi?id=190835)
> 
> So when will this will be removed?
> 
why should it be removed? the mask is here to remind users that this game is currently vulnerable. If upstream releases a new version fixing this issue, it should be unmasked again.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-06 22:18:21 UTC
And GLSA 200802-02, sorry for the delay.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-02-07 12:04:20 UTC
mask glsa is not a fix, is it?
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-10 14:12:45 UTC
We usually leave it open until the ebuild is purged or unmasked and GLSA rereleased.
Comment 20 impogarbage 2008-06-01 01:08:07 UTC
1.9.0_beta52 is unplayable because of corrupted player control system.

So 1.9.0_beta51 shoud be returned to portage...
Comment 21 haarp 2008-11-06 03:07:58 UTC
Upstream pulled beta5.2. It should be remove from Portage, for playability and security reasons.
As an alternative, I created Attachment 170876 [details] (also see bug 188895). This uses the same SVN sources that are also used to build the Ubuntu packages and should fix all vulnerabilites, *except* one:

>  A format string error exists within the "Cl_GetPackets()" function when processing "PSV_CONSOLE_TEXT" messages sent by the server. This can potentially be exploited by a malicious server to execute arbitrary code on the affected clients by sending a specially crafted messages.

An dev noted: "I could only ever trigger a DoS with this, no arbitrary code running".

It should also work on AMD64 now.
Comment 22 Mr. Bones. (RETIRED) gentoo-dev 2008-11-06 06:23:06 UTC
It's currently masked.  That's good enough.  We'll just pick up their next release.
Comment 23 Brandon Captain 2009-04-02 15:26:45 UTC
1.9-beta6.1 has just been released

http://www.doomsdayhq.com/

Comment 24 Tristan Heaven (RETIRED) gentoo-dev 2009-05-27 13:38:51 UTC
Bumped to 1.9-beta6.2 but I don't know if it's fixed.
Comment 25 Mr. Bones. (RETIRED) gentoo-dev 2009-11-10 16:44:38 UTC
doomsday-1.9.0_beta52 is gone.  I've removed the entry from package.mask.
Comment 26 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 01:58:14 UTC
Affected version long gone. noglsa.