Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209903 (CVE-2008-0671) - games-mud/tintin <1.98.0 add_line_buffer Buffer Overflow (CVE-2008-{0671,0672,0673})
Summary: games-mud/tintin <1.98.0 add_line_buffer Buffer Overflow (CVE-2008-{0671,0672...
Alias: CVE-2008-0671
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2008-02-12 19:25 UTC by Robert Buchholz (RETIRED)
Modified: 2011-11-20 18:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 19:25:44 UTC
CVE-2008-0671 (
  Stack-based buffer overflow in the add_line_buffer function in TinTin++
  1.97.9 and WinTin++ 1.97.9 allows remote attackers to execute arbitrary code
  via a long chat message, related to conversion from LF to CRLF.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 19:31:21 UTC
Games herd, did you hear anything upstream about this?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 19:32:23 UTC
CVE-2008-0672 (
  The process_chat_input function in TinTin++ 1.97.9 and WinTin++ 1.97.9 allows
  remote attackers to cause a denial of service (application crash) via a YES
  message without a newline character, which triggers a NULL dereference.

CVE-2008-0673 (
  TinTin++ 1.97.9 and WinTin++ 1.97.9 open files on the basis of an inbound
  file-transfer request, before the user has an opportunity to decline the
  request, which allows remote attackers to truncate arbitrary files in the top
  level of a home directory.
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2008-02-12 19:45:35 UTC
I removed that version from portage.  We'll pick up normal processing on the next version.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 20:43:28 UTC
I verified that all three vulnerabilities also affect our stable, so that won't be enough. :-/
Comment 5 Mr. Bones. (RETIRED) gentoo-dev 2008-02-12 20:59:13 UTC
package masked.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-13 17:37:34 UTC
maskglsa request filed.
Comment 7 Mr. Bones. (RETIRED) gentoo-dev 2008-03-25 04:55:17 UTC
added tintin-1.98.0, removed all previous versions, unmasked.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-03-25 10:23:05 UTC
I couldn't reproduce the errors with 1.98.0, so that looks fine.
Comment 9 Mr. Bones. (RETIRED) gentoo-dev 2009-11-23 04:28:41 UTC
please close this out.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 17:41:14 UTC
A GLSA request was filed some time ago and the bug will be closed after it was sent.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-11-20 18:16:50 UTC
This issue was resolved and addressed in
 GLSA 201111-07 at
by GLSA coordinator Alex Legler (a3li).