A vulnerability has been reported in OpenTTD, which potentially can
be exploited by malicious people to cause a DoS (Denial of Service)
or to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the
"TruncateString()" function in src/gfx.cpp. This can be exploited to
potentially cause a buffer overflow via a specially crafted string.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions prior to 0.6.2.
Update to version 0.6.2.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Created attachment 162239 [details, diff]
Just for reference, the patch in question. It also affects 0.5.3 as it is in our tree, a backport should be trivial if the ebuild cannot be bumped to 0.6.
masked games-simulation/openttd until it's fixed.
Created attachment 162242 [details, diff]
backported fix for 0.5.x
This is the backported patch of openttd-0.6.2-truncate-string.patch. Compiled fine with me and game playes without problems. This patch also works just fine with 0.5.3 because gfx.c files are identical in 0.5.2 and 0.5.3.
This might not be the only buffer overflow fixed in 0.6.2, see
As Nico pointed out in the URL above, further patches would need backporting. Is bumping to 0.6.2 an option for us?
CVE-2008-3547 for the Debian issue
CVE-2008-3576 for the TruncateString()
Games, any news here?
Buffer overflow in src/openttd.cpp in OpenTTD before 0.6.2 allows
local users to execute arbitrary code via a large filename supplied to
the "-g" parameter in the ttd_main function. NOTE: it is unlikely
that this issue would cross privilege boundaries in typical
It's masked. We'll fix it when we fix it.
Would it be possible to change the hard mask to only versions before 0.6.3? 0.6.3 fixes all CVEs. As OpenTTD now wants to push out an overlay with ebuilds, the hard mask is holding it back (and I can't find a way to override the hard mask from within an overlay). Thank you in advance.
(In reply to comment #10)
> Would it be possible to change the hard mask to only versions before 0.6.3?
> 0.6.3 fixes all CVEs. As OpenTTD now wants to push out an overlay with ebuilds,
> the hard mask is holding it back (and I can't find a way to override the hard
> mask from within an overlay). Thank you in advance.
A file named package.unmask in profiles/ should work, I guess, so no need to change the masks in our official tree.
games, you should probably bump and unmask, once you've got time.
(In reply to comment #11)
> A file named package.unmask in profiles/ should work, I guess, so no need to
> change the masks in our official tree.
> games, you should probably bump and unmask, once you've got time.
Exactly my thoughts ... but I couldn't get it to work. Then of course there is a good possibility I am doing something wrong.
# cat profiles/package.unmask
# emerge -av openttd
(same for '=games-simulation/openttd-0.6.3' and '<=games-simulation/openttd-0.6.2') ..
But okay, I will just wait for someone to official add 0.6.3 in the portage. Tnx for your reply!
Version 0.6.3 is in portage now and unmasked. Can be closed?
(In reply to comment #13)
> Version 0.6.3 is in portage now and unmasked. Can be closed?
Nah, we need this stable first. 0.6.3 ready to go stable?
(In reply to comment #14)
> 0.6.3 ready to go stable?
As it use EAPI=2 we should wait for portage to stabilize
But why is it using EAPI=2 in the first place? It is not like it uses any of the new features ...
(In reply to comment #16)
> But why is it using EAPI=2 in the first place? It is not like it uses any of
> the new features ...
The ebuild does, it has USE deps and src_configure. We can either wait this out until portage with EAPI=2 is stable, or create an -r1 that reintroduces built_with_use moves the src_configure code.
Ah, sorry, you are right. I am trying to get the following ebuild in the official portage for ages now .. I seem to fail to do so ;)
It uses EAPI=1, and is what we as OpenTTD publish as official ebuilds at the moment (as at least the general public can use it ...)
Regarding the status on the openttd website would it be possible to stabilize the ebuild? The last post has been commited on th 27th of November ...
EAPI-2 portage is now stable, is 0.6.3 good to go now?
Robin, do you approve of this going stable?
rbu: +1 from me.
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
tests fail on amd64/x86:
>>> Test phase [check]: games-simulation/openttd-0.6.3
make -j2 -j1 check
make: Entering directory `/var/tmp/portage/games-simulation/openttd-0.6.3/work/openttd-0.6.3/objs/release'
[SRC] No such source-file: check.[c|cpp|mm|rc]
make: Leaving directory `/var/tmp/portage/games-simulation/openttd-0.6.3/work/openttd-0.6.3/objs/release'
cc -Wl,-O1 check.o -o check
gcc: check.o: No such file or directory
make: *** [check] Error 1
* ERROR: games-simulation/openttd-0.6.3 failed.
* Call stack:
* ebuild.sh, line 49: Called src_test
* environment, line 2583: Called _eapi0_src_test
* ebuild.sh, line 602: Called die
* The specific snippet of code:
* hasq test $FEATURES && die "Make check failed. See above for details."
* The die message:
* Make check failed. See above for details.
games-simulation/openttd-0.6.3 USE="alsa iconv png truetype zlib -debug -dedicated -scenarios -timidity"
Portage 126.96.36.199 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.28 i686)
System uname: Linux-2.6.28-i686-Intel-R-_Core-TM-2_Duo_CPU_T8300_@_2.40GHz-with-glibc2.0
Timestamp of tree: Thu, 15 Jan 2009 20:30:01 +0000
dev-java/java-config: 1.3.7-r1, 2.1.6-r1
dev-lang/python: 2.4.4-r14, 2.5.2-r7
sys-devel/autoconf: 2.13, 2.63
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
CFLAGS="-O2 -march=i686 -pipe"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/config /var/bind /var/lib/hsqldb /var/qmail/alias /var/qmail/control /var/spool/fax/etc /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
FEATURES="collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
LINGUAS="en en_GB de"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl acpi alsa apache2 avahi berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB de" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
same here on ppc64
(In reply to comment #25)
> same here on ppc64
and same for ppc.
back to [ebuild], please re-add arches once this is fixed. thanks.
OpenTTD doesn't know how to do a 'make check'. Any way to disable this in the ebuild?
added restrict for test