[Pkg-freeciv-devel] Bug#381378: CVE-2006-3913: arbitrary code
execution in freeciv
Martin Schulze
joey at infodrom.org
Fri Aug 4 04:58:24 UTC 2006
Stefan Fritsch wrote:
> Package: freeciv
> Severity: grave
> Tags: security
> Justification: user security hole
>
> CVE-2006-3913:
> "Buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN 15 Jul
> 2006 and earlier, allows remote attackers to cause a denial of service
> (crash) and possibly execute arbitrary code via a (1) negative
> chunk_length or a (2) large chunk->offset value in a
> PACKET_PLAYER_ATTRIBUTE_CHUNK packet in the
> generic_handle_player_attribute_chunk function in common/packets.c,
> and (3) a large packet->length value in the handle_unit_orders
> function in server/unithand.c."
>
> Please mention the CVE-id in the changelog.
Attached please find the patch sent to the maintainer already.
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Please always Cc to me when replying to me on the lists.
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_CVE-2006-3913.dpatch by Joey Schulze <joey at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix DoS due to missing boundary checks
@DPATCH@
diff -u -p -Nr --exclude CVS freeciv-2.0.1.orig/common/packets.c freeciv-2.0.1/common/packets.c
--- freeciv-2.0.1.orig/common/packets.c 2006-07-28 16:48:40.000000000 +0200
+++ freeciv-2.0.1/common/packets.c 2006-07-28 16:55:23.000000000 +0200
@@ -573,6 +573,8 @@ void generic_handle_player_attribute_chu
packet_player_attribute_chunk
*chunk)
{
+ if (chunk->total_length < 0)
+ return;
/* first one in a row */
if (chunk->offset == 0) {
if (pplayer->attribute_block.data) {
diff -u -p -Nr --exclude CVS freeciv-2.0.1.orig/server/unithand.c freeciv-2.0.1/server/unithand.c
--- freeciv-2.0.1.orig/server/unithand.c 2005-04-01 06:19:35.000000000 +0200
+++ freeciv-2.0.1/server/unithand.c 2006-07-28 17:03:29.000000000 +0200
@@ -1602,7 +1602,7 @@ void handle_unit_orders(struct player *p
struct unit *punit = player_find_unit_by_id(pplayer, packet->unit_id);
int i;
- if (!punit || packet->length < 0 || punit->activity != ACTIVITY_IDLE) {
+ if (!punit || packet->length < 0 || packet->length > MAX_LEN_ROUTE || punit->activity != ACTIVITY_IDLE) {
return;
}
More information about the Pkg-freeciv-devel
mailing list