the OpenTTD team and contributors have discovered several security vulnerabilities in OpenTTD. Please be so kind to allocate a CVE id for each of the issues detailed below: 1.) Denial of service via improperly validated commands In multiple places in-game commands are not properly validated that allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. Vulnerability is present since 0.3.5 and will be fixed in the upcoming 1.1.3 release. Issue report at http://bugs.openttd.org/task/4745 2.) Buffer overflows in savegame loading In multiple places indices in savegames are not properly validated that allow (remote) attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. Vulnerability is present since 0.1.0 and will be fixed in the upcoming 1.1.3 release. Issue reports at http://bugs.openttd.org/task/4717 and http://bugs.openttd.org/task/4748 3.) Multiple buffer overflows in validation of external data In multiple places external data from the local file system isn't properly checked before allocating memory, which could lead to buffer overflows and arbitrary code execution. Vulnerability is present since 0.3.4 and will be fixed in the upcoming 1.1.3 release. Issue reports at http://bugs.openttd.org/task/4746 and http://bugs.openttd.org/task/4747 Once the CVE ids are allocated, each issue will be fully documented at http://security.openttd.org/en/CVE-2011-xxxx Reproducible: Always
*** Bug 383163 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =games-simulation/openttd-1.1.3 target KEYWORDS : "amd64 ppc x86"
amd64: pass
Archtested on x86: Everything fine except for the fact that i seem to have to have forgotten how to play TTD. :)
amd64 ok
+ 16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> openttd-1.1.3.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino Sarubbo in security bug #381799 filed by Sean Amoss.
x86 stable, thanks JD
never stable on ppc, last arch done
Thanks everyone. Tim, can you please add to GLSA request?
(In reply to comment #9) > Thanks everyone. Tim, can you please add to GLSA request? Yep, request filed. Thanks, Sean, folks.
CVE-2011-3343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3343): Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to cause a denial of service (daemon crash) or possibly gain privileges via (1) a crafted BMP file with RLE compression or (2) crafted dimensions in a BMP file. CVE-2011-3342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3342): Multiple buffer overflows in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors related to (1) NAME, (2) PLYR, (3) CHTS, or (4) AIPL (aka AI config) chunk loading from a savegame.
CVE-2011-3341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3341): Multiple off-by-one errors in order_cmd.cpp in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted CMD_INSERT_ORDER command. CVE-2010-4168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4168): Multiple use-after-free vulnerabilities in OpenTTD 1.0.x before 1.0.5 allow (1) remote attackers to cause a denial of service (invalid write and daemon crash) by abruptly disconnecting during transmission of the map from the server, related to network/network_server.cpp; (2) remote attackers to cause a denial of service (invalid read and daemon crash) by abruptly disconnecting, related to network/network_server.cpp; and (3) remote servers to cause a denial of service (invalid read and application crash) by forcing a disconnection during the join process, related to network/network.cpp.
This issue was resolved and addressed in GLSA 201111-03 at http://security.gentoo.org/glsa/glsa-201111-03.xml by GLSA coordinator Tim Sammut (underling).
