From secunia security advisory at $URL: Description: The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer. Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function. The vulnerability is confirmed in version 1.8.5. Other versions may also be affected. Solution: unpatched
CVE-2011-4620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4620): Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted remote attackers to execute arbitrary code via vectors involving a long error message, as demonstrated by a crafted acc file for TORCS. NOTE: some of these details are obtained from third party information.
@games: openSUSE has a patch [1] for this and bug 440762 we may be able to use since upstream has not updated. [1] https://build.opensuse.org/request/show/144547
that patch looks terrible. vsnprintf null-terminates.
Created attachment 423696 [details, diff] Patch from debian Extracted from the patch at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654785
Package revbumped per [0]. Arch teams, please test and mark stable: =media-libs/plib-1.8.5-r1 Targeted stable KEYWORDS : alpha amd64 hppa ppc sparc x86 [0]: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2c3350ada353ca2c523210909a4fea07fcc5a10
amd64 stable
@arches, still pending stabilization on: alpha, hppa, ppc, sparc, and x86. @games, once stable please remove vulnerable version 1.8.5.
*** Bug 576016 has been marked as a duplicate of this bug. ***
Stable for HPPA.
Stable on alpha.
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA opened.
This issue was resolved and addressed in GLSA 201606-16 at https://security.gentoo.org/glsa/201606-16 by GLSA coordinator Aaron Bauman (b-man).