[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE id request: openttd
From: Robert Buchholz <rbu () gentoo ! org>
Date: 2008-08-05 3:22:37
Message-ID: 200808050522.40342.rbu () gentoo ! org
[Download RAW message or body]
On Monday 04 August 2008, Nico Golde wrote:
> "OpenTTD servers of version 0.6.1 and below are susceptible to a
> remotely exploitable buffer overflow when the server is filled with
> companies and clients with names that are (near) the maximum allowed
> length for names. In the worst case OpenTTD will write the following
> (mostly remotely changable bytes) into 1460 bytes of malloc-ed
> memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of
> malloc-ed memory. This makes it possible to remotely crash the game
> or change the gamestate into an unrecoverable state. "
>
> This is Debian bug #493714.
>
> I didn't yet have the time to check the diff between the versions.
Secunia interpreted [1] the "remotely exploitable buffer overflows"
mentioned in the changelog [2] to be a "boundary error within
the "TruncateString()" function in src/gfx.cpp". This would be the
following patch [3]. However, this would overwrite the buffer by max. 2
bytes, and does not match your bug description too well. Is this maybe
r13712 [4] ?
Robert
[1] http://secunia.com/advisories/31350/
[2] http://sourceforge.net/project/shownotes.php?release_id=617243
[3] https://bugs.gentoo.org/attachment.cgi?id=162239
[4] svn diff -c 13712 svn://svn.openttd.org/trunk
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic