[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE id request: openttd
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2008-08-07 20:42:47
Message-ID: Pine.GSO.4.51.0808071642120.25461 () faron ! mitre ! org
[Download RAW message or body]


On Mon, 4 Aug 2008, Nico Golde wrote:

> "OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
> exploitable buffer overflow when the server is filled with companies and
> clients with names that are (near) the maximum allowed length for names.
> In the worst case OpenTTD will write the following (mostly remotely
> changable bytes) into 1460 bytes of malloc-ed memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
> memory. This makes it possible to remotely crash the game or change the
> gamestate into an unrecoverable state.  "
>
> This is Debian bug #493714.

Use CVE-2008-3547 (to be updated later) for this issue, as reported.

If Secunia wound up reporting a distinct bug, that would need an
additional CVE.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic