Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326141 (CVE-2010-3085) - <games-emulation/mednafen-0.8.13: security version bump (CVE-2010-3085)
Summary: <games-emulation/mednafen-0.8.13: security version bump (CVE-2010-3085)
Alias: CVE-2010-3085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2010-06-29 08:51 UTC by Sergey Kondakov
Modified: 2013-11-04 11:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

games-emulation/mednafen-0.8.13.ebuild (mednafen-0.8.13.ebuild,1.78 KB, text/plain)
2010-06-29 08:52 UTC, Sergey Kondakov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Kondakov 2010-06-29 08:51:12 UTC
This will be the final release in the 0.8.x branch, unless 0.8.D introduces any major bug(s) that do not have workaround(s).

Changes since the last stable release, 0.8.C:

SMS: Some state that wasn't being saved in save states now is, which should fix netplay desynch problems with SMS/GG games.

Fixed a couple of remotely-exploitable(if connected to a malicious server) stack manipulation bugs in the network play code.

Fixed an incorrect object creation bug in pce/adpcm.cpp.

NES: Added a missing CPU emulator variable to save states.

PCE: Added a missing CPU emulator variable to save states.

Lynx: Fixed a bug in the cart loader code that would cause a crash if the ROM bank size was larger than the actual data available in the
file(as is the case with some homebrew programs). Thanks to "Wookie" for the patch.

Build files were regenerated using autoconf 2.64 and aclocal 1.11(previously, they were generated with autoconf 2.61 and aclocal 1.10.1).

Fixed a crashing problem when entering an invalid menu choice("0") in the cheat interface. Thanks to
tsenart for reporting the bug.

GB: The GameBoy module now respects the "filesys.disablesavegz" setting in respect to saved
battery-backed RAM.

Added support for "lurkers" on the network play server. Previous versions of Mednafen don't lack support for this per se, but there
would be cosmetic issues with status messages printed to the internal console.

SexyAL: Fixed a bug affecting the return value from RawCanWrite() in the ALSA driver. The returned value was typically too
small by a factor of 4. The effects of this bug included potential long periods of garbled sound
during netplay.

Fixed the return value from RawCanWrite() in the JACK driver. It was being clamped to a value
that was too small by a factor of 4; however, the clamp value was already excessively large in a way
that this bug would should have only been triggered if the "soundbufsize" setting was excessively large.
The effects of this bug would be similar to the ALSA RawCanWrite() bug.

The ALSA and OSS drivers will now try to set audio output to 2 channels if the source data only has 1 channel, and 16-bit signed if the
source data is 8-bit(automatic conversion is done). This is done to allow for lower period/fragment sizes, as, in ALSA's internals at least,
the minimum period sizes are expressed in bytes, not sound frames.

The ALSA and OSS drivers will now try to set lower period/fragment sizes than previous versions of Mednafen did. With default settings, for
ALSA, the new period/fragment size is 50% of what it was before, and for OSS, 25%. Also, there's a new setting to override
the SexyAL's driver's preferred period/fragment sizes, named "sound.period_time"(default value of 0: no override).
The period/fragment size is expressed in microseconds. If the new, lower fragment sizes cause problems, the setting can be changed to "2666"
to approximate the fragment size selection in previous versions of Mednafen when using ALSA output, and "5333" when using OSS output.

Added a workaround to the OSS driver for a bug in ALSA(and hence, ALSA's in-kernel OSS emulation) that could cause the emulator to run far
too fast for a short period of time if a buffer underflow occurred.

The ALSA's driver's RawCanWrite() method now(finally) uses snd_pcm_avail_update() instead of snd_pcm_delay().
This should improve performance and frameskipping behavior when the ALSA output is not routed directly to a physical device, such as the case with
PulseAudio(though PulseAudio is still not recommended :b).

Reproducible: Always
Comment 1 Sergey Kondakov 2010-06-29 08:52:58 UTC
Created attachment 236893 [details]

sample ebuild
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2010-06-29 12:08:03 UTC
Thanks for the version bump notice. Assigning to maintainer
Comment 3 Tupone Alfredo gentoo-dev 2010-07-02 07:49:39 UTC
0.8.13 is now in portage. Thanks
Comment 4 Hanno Böck gentoo-dev 2010-09-09 17:59:56 UTC
"Fixed a couple of remotely-exploitable(if connected to a malicious server)
stack manipulation bugs in the network play code."

This is a security release. Security, I think the committed ebuild is okay, we just need a stabilization round (and according to a recent post to -dev I should not cc archs myself but leave that up to security).
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-09-12 04:22:48 UTC
These vulnerabilities have been assigned CVE-2010-3085.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 23:53:18 UTC
Stabilization took place via Bug 337536. GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:20:36 UTC
CVE-2010-3085 (
  The network-play implementation in Mednafen before 0.8.D might allow remote
  servers to execute arbitrary code via unspecified vectors, related to "stack
  manipulation" issues.
Comment 8 Tupone Alfredo gentoo-dev 2012-12-13 09:46:29 UTC
That version is no more in the tree. The only version is the 0.9.21
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-11-04 11:55:49 UTC
This issue was resolved and addressed in
 GLSA 201311-01 at
by GLSA coordinator Sergey Popov (pinkbyte).