openttd: Network exploitable buffer overrun

Debian Bug report logs - #493714
openttd: Network exploitable buffer overrun

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "R. Bijker" <rubidium@rbijker.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openttd: Network exploitable buffer overrun

Date: Mon, 04 Aug 2008 14:54:36 +0200

Package: openttd
Version: 0.6.1-1
Severity: grave
Tags: security
Justification: user security hole

OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
exploitable buffer overflow when the server is filled with companies and
clients with names that are (near) the maximum allowed length for names.
In the worst case OpenTTD will write the following (mostly remotely
changable bytes) into 1460 bytes of malloc-ed memory:
up to 11 times (amount of players) 118 bytes
up to 8 times (amount of companies) 124 bytes
and 7 "header" bytes
Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
memory. This makes it possible to remotely crash the game or change the
gamestate into an unrecoverable state.

There are three ways of fixing this:
- upgrading to 0.6.2.
- backporting the bugfixes to 0.6.1 and make a network-incompatible version
 of OpenTTD which makes it impossible to participate in multiplayer games
 with both Debian and non-Debian users.
- increase the allocation size, which will make it even network incompatible
 with itself.

Therefore the best way to fix this is by upgrading to 0.6.2, also in lenny.

-- System Information:
Debian Release: lenny/sid
 APT prefers unstable
 APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26 (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: 
LC_ALL set to en_GB.utf8)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 493714@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 493714@bugs.debian.org

Subject: CVE-2008-3547

Date: Fri, 8 Aug 2008 10:44:37 +0200

[Message part 1 (text/plain, inline)]

Hi,
please reference CVE-2008-3547 as the CVE id in the 
changelog if you close this bug.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 493714@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: "R. Bijker" <rubidium@rbijker.net>

Cc: 493714@bugs.debian.org

Subject: Re: openttd: Network exploitable buffer overrun

Date: Sun, 10 Aug 2008 16:53:59 +0200

R. Bijker wrote:
> Therefore the best way to fix this is by upgrading to 0.6.2, also in lenny.

I agree, can you upload 0.6.2 to unstable?

Cheers,
        Moritz

Message #20 received at 493714@bugs.debian.org (full text, mbox, reply):

From: "R. Bijker" <rubidium@rbijker.net>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 493714@bugs.debian.org

Subject: Re: openttd: Network exploitable buffer overrun

Date: Sun, 10 Aug 2008 21:14:46 +0200

Moritz Muehlenhoff wrote:
> I agree, can you upload 0.6.2 to unstable?
>
> Cheers,
>         Moritz
>   
I have absolutely no influence over getting OpenTTD 0.6.2 physically 
uploaded to Debian-unstable.


Regards,
Remko Bijker

Message #25 received at 493714@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 493714@bugs.debian.org

Cc: "R. Bijker" <rubidium@rbijker.net>

Subject: Re: Bug#493714: openttd: Network exploitable buffer overrun

Date: Sun, 10 Aug 2008 21:32:07 +0200

[Message part 1 (text/plain, inline)]

Hi Moritz,
* Moritz Muehlenhoff <jmm@inutil.org> [2008-08-10 20:42]:
> R. Bijker wrote:
> > Therefore the best way to fix this is by upgrading to 0.6.2, also in lenny.
> 
> I agree, can you upload 0.6.2 to unstable?

I got a private mail by the maintainer stating:
"New version should be uploaded this weekend, I'll mail the 
release team with details when that happens."

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 493714@bugs.debian.org (full text, mbox, reply):

From: Matthijs Kooijman <matthijs@stdin.nl>

To: Nico Golde <nion@debian.org>, 493714@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, "R. Bijker" <rubidium@rbijker.net>

Subject: Re: Bug#493714: openttd: Network exploitable buffer overrun

Date: Tue, 12 Aug 2008 11:33:17 +0200

[Message part 1 (text/plain, inline)]

Hi,

> I got a private mail by the maintainer stating:
> "New version should be uploaded this weekend, I'll mail the 
> release team with details when that happens."
I'm having a bit of a problem with this upload, since my regular sponsor seems
to be away. I had asked a DD to upload it last weekend, but hasn't had time
for it yet. I've put the new version up at mentors.debian.net and asked for a
sponsor on debian-mentors@ as well.

Release team has also been mailed about possibly including this version in
testing.


Gr.

Matthijs

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 493714@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 493714@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, "R. Bijker" <rubidium@rbijker.net>, Nico Golde <nion@debian.org>

Subject: Re: Bug#493714: openttd: Network exploitable buffer overrun

Date: Wed, 13 Aug 2008 11:11:14 +0200

[Message part 1 (text/plain, inline)]

> > I got a private mail by the maintainer stating:
> > "New version should be uploaded this weekend, I'll mail the
> > release team with details when that happens."
>
> I'm having a bit of a problem with this upload, since my regular sponsor
> seems to be away. I had asked a DD to upload it last weekend, but hasn't
> had time for it yet. I've put the new version up at mentors.debian.net and
> asked for a sponsor on debian-mentors@ as well.

I've sponsored this upload now.


cheers,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 493714-close@bugs.debian.org (full text, mbox, reply):

From: Matthijs Kooijman <matthijs@stdin.nl>

To: 493714-close@bugs.debian.org

Subject: Bug#493714: fixed in openttd 0.6.2-1

Date: Wed, 13 Aug 2008 09:17:24 +0000

Source: openttd
Source-Version: 0.6.2-1

We believe that the bug you reported is fixed in the latest version of
openttd, which is due to be installed in the Debian FTP archive:

openttd_0.6.2-1.diff.gz
  to pool/contrib/o/openttd/openttd_0.6.2-1.diff.gz
openttd_0.6.2-1.dsc
  to pool/contrib/o/openttd/openttd_0.6.2-1.dsc
openttd_0.6.2-1_i386.deb
  to pool/contrib/o/openttd/openttd_0.6.2-1_i386.deb
openttd_0.6.2.orig.tar.gz
  to pool/contrib/o/openttd/openttd_0.6.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 493714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Kooijman <matthijs@stdin.nl> (supplier of updated openttd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Aug 2008 11:07:05 +0200
Source: openttd
Binary: openttd
Architecture: source i386
Version: 0.6.2-1
Distribution: unstable
Urgency: high
Maintainer: Matthijs Kooijman <matthijs@stdin.nl>
Changed-By: Matthijs Kooijman <matthijs@stdin.nl>
Description: 
 openttd    - reimplementation of Transport Tycoon Deluxe with enhancements
Closes: 493714
Changes: 
 openttd (0.6.2-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes remote crash vulnerability CVE-2008-3547. Closes: #493714
Checksums-Sha1: 
 a7177c3ac8b54886b9c0ddcc0bb90d3fbe838635 1544 openttd_0.6.2-1.dsc
 04465c64ee43e1af7353b6d3801d79c52cf9ee30 4950519 openttd_0.6.2.orig.tar.gz
 fc0c34e028ec6032f1b8ef4f4f14f01a6d6e540c 8959 openttd_0.6.2-1.diff.gz
 fe2e8642c9fcb96a82f6e82648d18ab8f886794e 2632916 openttd_0.6.2-1_i386.deb
Checksums-Sha256: 
 cf59f62c4c257e73bc93dea3007bbd693d315c06d0929f2169e6ad09bf7c9625 1544 openttd_0.6.2-1.dsc
 d53f0eee9f7dc9f2ec51143c6ee6b87b1daa39378ffb77b8fb285bde76191207 4950519 openttd_0.6.2.orig.tar.gz
 5d37d50e5b6b9e517bf3e2a8e891979b53664140c97c94e97f5cdcb483405f43 8959 openttd_0.6.2-1.diff.gz
 a7fc246bff1d5b010fbd2c70a048c2de34da054acf75964ec6e7c57b599df729 2632916 openttd_0.6.2-1_i386.deb
Files: 
 182add99a5e0ed4089c09ab0665dbb7d 1544 contrib/games optional openttd_0.6.2-1.dsc
 7e3f577e605e24479ead594259276be9 4950519 contrib/games optional openttd_0.6.2.orig.tar.gz
 148e100075917fcfe2cab4a6a9d3f957 8959 contrib/games optional openttd_0.6.2-1.diff.gz
 f0b1363e58efa2a11b063c388e649a0c 2632916 contrib/games optional openttd_0.6.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJIoqStAAoJEGz0hbPcukPfRk4H/1og0lmNsOl5Z4eHlh4FhfgE
jI0YYXywpjQtFxDhRBKU+DN9+/zm4Tlf8COsZuHYCjRzW86+hVdz5o2f5uFcPSU2
J21qfFozQEHr91qFUayOJq4iKuKwNyBmwjRfOOxUqX+KYEFIcv7JCsZTNzGMGfAK
e6vijqsELYIXvo8TiAwCByDpg5NxL3j1u4JcHATtBmg8iQ3kamML4dJVE8fNWGSc
TcVag1jwjQ9T/Uyy6hNPYXlqcTQ9bZztkYYiVkjf7C9t0jbtHsLMqWo9Or+dApb7
ZULILVxBO9CEX/0RdZk6r9190UFFYtzgrwUgMmk+x3BWFdTw8apcxwEVp7pnGGc=
=2PVg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.