[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Tue, 5 Aug 2008 05:22:37 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: openttd
On Monday 04 August 2008, Nico Golde wrote:
> "OpenTTD servers of version 0.6.1 and below are susceptible to a
> remotely exploitable buffer overflow when the server is filled with
> companies and clients with names that are (near) the maximum allowed
> length for names. In the worst case OpenTTD will write the following
> (mostly remotely changable bytes) into 1460 bytes of malloc-ed
> memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of
> malloc-ed memory. This makes it possible to remotely crash the game
> or change the gamestate into an unrecoverable state. "
>
> This is Debian bug #493714.
>
> I didn't yet have the time to check the diff between the versions.
Secunia interpreted [1] the "remotely exploitable buffer overflows"
mentioned in the changelog [2] to be a "boundary error within
the "TruncateString()" function in src/gfx.cpp". This would be the
following patch [3]. However, this would overwrite the buffer by max. 2
bytes, and does not match your bug description too well. Is this maybe
r13712 [4] ?
Robert
[1] http://secunia.com/advisories/31350/
[2] http://sourceforge.net/project/shownotes.php?release_id=617243
[3] https://bugs.gentoo.org/attachment.cgi?id=162239
[4] svn diff -c 13712 svn://svn.openttd.org/trunk
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux