Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398161 (CVE-2012-0049) - <games-simulation/openttd-1.2.0 Denial of Service (CVE-2012-{0048,0049})
Summary: <games-simulation/openttd-1.2.0 Denial of Service (CVE-2012-{0048,0049})
Alias: CVE-2012-0049
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 412329
  Show dependency tree
Reported: 2012-01-08 16:07 UTC by Sean Amoss (RETIRED)
Modified: 2012-09-08 15:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2012-01-08 16:07:46 UTC
From CVE request at $URL:

"The issue concerns a denial of service vulnerability in the form of a 
slow read attack preventing anyone to join the server, and preventing 
the continuation of a game when 'pause on join' is enabled. This attack 
requires the attacker to be authorized, but most servers do not 
implement authorization. The first vulnerable version is 0.3.5, the 
upcoming 1.1.5 release will have the issue fixed.

Once a CVE id is allocated, the issue and fix will be documented at"
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-02-11 13:20:33 UTC
@games: This is fixed in 1.1.5 released last month. Please provide an updated ebuild.
Comment 2 Marian Kyral 2012-02-25 19:34:05 UTC
Hi, I tested in and only version bump of the ebuild and one patch file is needed. I also made a ebuild for 1.2_RC1
Comment 3 Tomáš Chvátal (RETIRED) gentoo-dev 2012-04-17 19:39:04 UTC
1.2.0 added to main tree now by me.
Do your magic lads :)
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-17 22:30:34 UTC
Thanks, Tomáš.

Arches, please test and mark stable:
Target KEYWORDS="amd64 ppc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2012-04-18 19:52:33 UTC
amd64 stable
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2012-04-18 20:34:39 UTC
Adding opengfx to the list as it seems that with the old one it likes to crash.


Adding back amd64 as I had to prune the stabling due to breaking depgraph.
Comment 7 Andreas Schürch gentoo-dev 2012-04-19 11:06:52 UTC
x86 stable, thanks
Comment 8 Agostino Sarubbo gentoo-dev 2012-04-19 11:54:02 UTC
amd64 stable
Comment 9 Markus Meier gentoo-dev 2012-04-19 20:55:32 UTC
arm passes
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2012-05-06 19:30:19 UTC
drop to ~ppc; ppc64 passes
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-05-07 02:52:33 UTC
Thanks, folks. GLSA Vote: no.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-07 22:29:47 UTC
GLSA vote: no.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:29:24 UTC
CVE-2012-0048 (
  OpenTTD 0.3.5 through 1.1.4 allows remote attackers to cause a denial of
  service (game pause) by connecting to the server and not finishing the (1)
  authorization phase or (2) map download, aka a "slow read" attack.