Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Thu, 7 Aug 2008 16:42:47 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: openttd


On Mon, 4 Aug 2008, Nico Golde wrote:

> "OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
> exploitable buffer overflow when the server is filled with companies and
> clients with names that are (near) the maximum allowed length for names.
> In the worst case OpenTTD will write the following (mostly remotely
> changable bytes) into 1460 bytes of malloc-ed memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
> memory. This makes it possible to remotely crash the game or change the
> gamestate into an unrecoverable state.  "
>
> This is Debian bug #493714.

Use CVE-2008-3547 (to be updated later) for this issue, as reported.

If Secunia wound up reporting a distinct bug, that would need an
additional CVE.

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux