Ubuntu
openttd package

Please update to 1.0.3

Bug #576396 reported by Dmitry Tantsur on 2010-05-06

278

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	openttd (Ubuntu)	Fix Released	Medium	Unassigned
Nominated for Lucid by CassieMoondust

Bug Description

Binary package hint: openttd

1.0.1 (2010-05-01)
------------------------------------------------------------------------
- Fix: Crash when using restart via rcon (r19722)
- Fix: Leaking a file descriptor [CVE-2010-0406] [FS#3785] (r19695)
- Fix: Crash when the music/graphics metadata files were unreadable [FS#3774] (r19674)

1.0.1-RC2 (2010-04-22)
------------------------------------------------------------------------
- Fix: Desync when joining the game because of using the wrong variable (r19687)
- Fix: Truncated archives were not detected when using zlib 1.2.3. This also fixes zlib 1.2.4 compatibility, zlib 1.2.5 is bugfree (r19686)
- Fix: Towns with 3x3 and 2x2 road layouts could not expand (r19683)
- Fix: When joining a MP game all clients with company ID > 0 would be shown as if they were a spectator [FS#3775] (r19680)
- Fix: Client status was shown incorrect in the console (r19678)

1.0.1-RC1 (2010-04-17)
------------------------------------------------------------------------
- Feature: [NewGRF] Support for extended text code 0x9A 11, print qword (r19570)
- Feature: Give more detailed error message when trying to build a too long bridge (r19561)
- Feature: Add rail speed limit to land area information window (r19556, r19434)
- Add: [NoAI] AIRail::GetMaxSpeed(RailType) to get the speed limit of railtypes (r19591)
- Change: Sync Debian packaging updates from Debian, but keep building a single package (r19572)
- Fix: Crash of a dedicated server if the null blitter is overridden and (after a while) there is no company 0 on new year anymore [FS#3749] (r19664)
- Fix: In rare cases, update of signals could be missed (r19663)
- Fix: Various improvements of command handling, missing error messages, improper validation causing crashes [CVE-2010-0402] [FS#3748] (r19658, r19657, r19656, r19655, r19654, r19637, r19633, r19621, r19616, r19605, r19604)
- Fix: Industry generation failed for large maps and lots of industry types (r19652, r19643)
- Fix: When a company is sold, move connected clients to spectators [FS#3745] (r19651)
- Fix: A client would not be properly moved when moved while joining, e.g. when entering a company's password. This caused the client to be in the wrong company (according to the rest of the clients) and the client being kicked on the first command [FS#3760] (r19648)
- Fix: Trains loaded above the original IDs did not have a default railtypelabel assigned to them, causing them to be unavailable. Could cause desyncs if the multiplayer game was not started from a savegame [FS#3768] (r19647)
- Fix: Do not allow building cacti outside of the desert or rain forest trees outside of the rain forest area. This to prevent people from thinking planting rain forest trees makes the rain forest bigger and thus adds more place to build a lumber mill [FS#3728] (r19644, r19635, r19634)
- Fix: Desync when taking over companies (r19636)
- Fix: Chat message caused glitch when rejoining a network game [FS#3757] (r19629)
- Fix: Desync when a command is received and in the queue while a client starts joining, i.e. save the game state. This can happen in two ways: with frame_freq > 1 a command received in a previous frame might not be executed yet or when a command is received in the same frame as the join but before the savegame is made. In both cases the joining client would not get all commands to get in-sync with the server (and the other clients) (r19620)
- Fix: Company related graphs were not updated correctly after changing the company colour [FS#3763] (r19615)
- Fix: Possible invalid read when server moves client to spectators before he finishes joining [FS#3755] (r19613)
- Fix: Crash when opening a savegame with a waypoint from around 0.4.0 [FS#3756] (r19612)
- Fix: Improve joining behaviour; kicking clients when entering passwords that was just cleared, 'connection lost' for people failing the password, access restriction circumvention [CVE-2010-0401] [FS#3754] (r19610, r19609, r19608, r19607, r19606)
- Fix: Desync debugging; false positives in the cache validity checks and saving/loading the command stream (r19619, r19617, r19602, r19601, r19600, r19596, r19593, r19592, r19589, r19587, r19586)
- Fix: Presence of online content was not properly updated after download due to duplicate slashes in the path (r19600)
- Fix: [NewGRF] Setting industry prop 0x24 to 0 caused empty station names (r19590)
- Fix: Crash when pressing 'h' (non-stop) in the order window of a ship or aircraft [FS#3744] (r19584)
- Fix: Graphs were not properly updated when going toggling keys (i.e. companies) (r19574)
- Fix: The timetable button was not automatically raised [FS#3739] (r19571)
- Fix: [NewGRF] Possible buffer underflow in NewGRF string code (r19569)
- Fix: [NewGRF] Do not return a random colour for unowned industries in var 45; TTDPatch does not seem to set the colour data in that case either and it could lead to desyncs (r19566)
- Fix: Window::OnResize() was not always called while resizing a window causing incorrect windows [FS#3730] (r19563, r19558)
- Fix: Bridge build error message should not show the same message twice (r19560, r19559)
- Fix: [NewGRF] During NewGRF loading, store rail type labels in temporary data and process after loading has finished. This avoids deactivated rail vehicles being reactivated if the climate property is set after the rail type property (r19557, r19502)
- Fix: Improperly scaled cargo payment graph when having lots of cargo (r19550, 19543)
- Fix: [NewGRF] Properties set before property 08 (house, industry, industry tiles) should be ignored, not trigger the NewGRF to be disabled [FS#3725] (r19547)
- Fix: Sorting industries by production was broken for NewGRF industries (r19538)
- Fix: Vehicle details window did not resize correctly after refitting a road vehicle to a longer variant [FS#3720] (r19533)
- Fix: Prevent drawing industries disabled at the smallmap as land tiles when they are built on water (r19523)
- Fix: Tunnels, bridges and roadstops are build with only one roadtype (r19506)
- Fix: Remove same_industry_close setting did not do what it said and caused NewGRF trouble (r19499)
- Fix: Keep number padding intact when cloning vehicle names [FS#3710] (r19498)
- Fix: [NewGRF] Bytes and words get sign-extended for temporary/persistent storage (r19497)
- Fix: Stop reducing the size of the vehicle list after selecting a vehicle with a long description (r19480)
- Fix: Implement custom sound effect for helicopter take-off [FS#3668] (r19364)
- Update: Plural type of Slovak (r19452)

Security reports from security.openttd.org:
CVE-2010-0406 Denial of service (server) via leaking file descriptors 0.3.5 1.0.1
CVE-2010-0402 Denial of service via improperly validated commands 0.3.5 1.0.1
CVE-2010-0401 Access restriction circumvention, remote crash 0.3.5 1.0.1

CVE References

Dmitry Tantsur (divius) on 2010-05-06

visibility:

private → public

Revision history for this message

CassieMoondust (cassie-lx) wrote on 2010-05-14:

Please update openttd to the maintanance release 1.0.1.
It fixes several security issues and bugs. Update is urgent recommended.

Thank you.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-05-17:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in openttd (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Dmitry Tantsur (divius) wrote on 2010-05-28: Re: Please update to 1.0.1

Package for Lucid is ready in my ppa: https://launchpad.net/~divius/+archive/ppa/+packages

Revision history for this message

Matthijs Kooijman (matthijskooijman) wrote on 2010-08-06:

Note that 1.0.1 is affected by CVE-2010-2534, while 1.0.0 is not. So the patch for that CVE should either be backported to 1.0.1, or lucid should be updated to 1.0.3.

See http://security.openttd.org/en/CVE-2010-2534 for details and a patch.

Revision history for this message

Dmitry Tantsur (divius) wrote on 2010-08-06:

1.0.3 for Lucid is ready in my ppa: https://launchpad.net/~divius/+archive/ppa/+packages

summary:

- Please update to 1.0.1
+ Please update to 1.0.3

Revision history for this message

Dmitry Tantsur (divius) wrote on 2010-08-06:

Download full text (9.5 KiB)

ChangeLog 1.0.1 -> 1.0.3:

1.0.3 (2010-08-01)
------------------------------------------------------------------------
- Fix: Make it possible to properly assess the length of the rail toolbar caption, don't require '{WHITE}' control codes (r20242)
- Fix: Check for disallowed level crossings also when converting rail (r20237)
- Fix: Haiku uses a 'special' location for headers (r20219)
- Fix: Desync due to (temporary) wrong railtype; when loading a savegame the railtype of some (high ID) trains could be wrong [FS#3945] (r20137)

1.0.3-RC1 (2010-07-17)
------------------------------------------------------------------------
- Feature: [NewGRF] Textstack support for CB 38 (r20086)
- Feature: [NewGRF] Add a railtype flag to disallow level crossings per railtype (r20049)
- Change: Improve desync debugging, crash log data and the Debian packaging (by making a debug symbols package) (r20138, r20136, r20129)
- Fix: Do not scan /data and ~/data (if they happen to be your working directory). If it is the directory where your binary is located it will still scan them [FS#3949] (r20166)
- Fix: Integer comparison failed in case the difference was more than 'MAX_UINT'/2 [FS#3954] (r20162)
- Fix: [YAPP] Converting a one-way block to a path signal with trains on both sides could lead to a train crash [FS#3937] (r20156)
- Fix: [NewGRF] Improve handling of snowing of railtypes and (infra)structures on foundations [FS#3883] (r20153, r20132, r20126, r20125)
- Fix: Ships were not marked as dirty when stopping inside a depot [FS#3880] (r20142)
- Fix: Some windows ignored all hotkeys [FS#3902] (r20141, r20140, r20139)
- Fix: Do not allow building a rail track to the water using a tree-tile [FS#3695] (r20110)
- Fix: [NoAI] AITown::GetRating() returned wrong values [FS#3934] (r20103)
- Fix: Reading deleted memory when selecting a NewGRF in the content download window of which the data has not been acquired from the content server. The crash would occur after the content server's reply was processed and the ContentInfo object was replaced with another [FS#3899] (r20089, r20082)
- Fix: If after loading a savegame (including intro game) one tried to save a game (including autosave) and that failed (very) early on because it could not open the file for writing all pointers would be converted to NULLs which then causes corrupted game states [FS#3876, FS#3887, FS#3920, FS#3923] (r20087)
- Fix: gitignore and hgignore had more missing/wrong entries (r20078, r20033, r20031)
- Fix: Remove the space between 'open' and 'ttd' in the title screen (r20077)
- Fix: Road vehicles could get crashed twice in a tick [FS#3896] (r20053, r20034)
- Fix: Coloured_news_year was stored in savegames while it should be a client setting [FS#3916] (r20051)
- Fix: Crash when spectator tried to open a vehicle list without selecting any company [FS#3892] (r20041)
- Fix: Instead of loading the intro game when loading a savegame fails on the dedicated server, generate a new game [FS#3907] (r20039)
- Fix: Tram tracks did not show at level crossing with the new railtypes [FS#3911] (r20036)
- Fix: Under some circumstances you could get into an infinite loop [CVE-2010-2534] [FS#3909] (r20035)
- Fix: The 64...

ChangeLog 1.0.1 -> 1.0.3:

1.0.2 (2010-06-19)
------------------------------------------------------------------------
- Fix: Owner of the Waypoint View window was not properly set (r19990)
- Fix: Close list of vehicles with given oil rig in orders when the oil rig is deleted (r19956)
- Fix: Close list of vehicles with given buoy/oil rig in orders when switching company (r19955)
- Fix: Do not close list of waypoint's trains when the waypoint view is closed when it is sticky (r19952)
- Fix: Close buoy's vehicle list when the buoy is deleted [FS#3869] (r19951)

1.0.2-RC1 (2010-06-05)
------------------------------------------------------------------------
- Feature: Translated desktop shortcut comments (r19884)
- Fix: When 'pause on new game' is set, pause the game before CleanupGeneration() to avoid conflicts with concurrent GUI code [FS#3857] (r19934)
- Fix: Pay for the rail/road when constructing tunnels, bridges, depots and stations [FS#3859, FS#3827] (r19925, r19887, r19881)
- Fix: Closing chatbox could cause glitches when news message was shown [FS#3865] (r19921)
- Fix: [YAPP] Inform the pathfinder as well about the fact that the backside of an one-way path signal can be a safe waiting point [FS#3803] (r19896)
- Fix: Allow loading savegames from the console without specifying the '.sav' extension, i.e. make it consistent with saving savegames from the console [FS#3761] (r19885)
- Fix: Dropdowns did affect positioning of new windows because they were not yet removed when the new windows were positioned [FS#3812] (r19883)
- Fix: [NoAI] AIEngine::IsValidEngine() and AIEngine::IsBuildable() returned false positives. Especially wagons of unavailable railtypes were reported available (r19880)
- Fix: Default vehicle group texts were drawn one pixel too low [FS#3851] (r19878)
- Fix: It was not possible to send all trains with common waypoint order to depot (r19876)
- Fix: Compilation for NetBSD [FS#3809, FS#3840, FS#3845] (r19874, r19859, r19853, r19781)
- Fix: If the (guessed initial) destination tile of a road vehicle was not a road stop but was a T-junction or turn, the road vehicles would jump around in circles [FS#3817] (r19873)
- Fix: When a network connection gets lost and a game with AIs was loaded the client might crash due to the AIs not being loaded while the game loop is executed [FS#3819] (r19869)
- Fix: Use non-breaking spaces for currency pre-/postfixes (r19867)
- Fix: Crash when changing/viewing locale settings in the console [FS#3830] (r19865, r19864, r19863, r19862)
- Fix: Drawing fallback sprites for unavailable NewGRF waypoints failed (r19852)
- Fix: Ensure that both texts of the NewGRF gui download button fit (r19823)
- Fix: Kicking clients by IP did not work [FS#3784] (r19818)
- Fix: Compilation with MinGW GCC 4.5.0 and UNICODE (r19787)
- Fix: If a waypoint is immediately followed by a path signal a reservation would be made from that path signal before the waypoint is marked passed. As a result the order to go to the waypoint is used to reserve the path after the waypoint and as such trains get lost [FS#3770] (r19784)
- Fix: NULL pointer deference when testing relative scope *action2 on an unbuilt engine [FS#3828] (r19782)
- Fix: Crash on too long paths [FS#3807] (r19780, r19779, r19778, r19777, r19776)
- Fix: MP_VOID tiles shall have no tropic zone [FS#3820] (r19769)
- Fix: Half-desert tiles would never revert back to clear tiles (r19768)
- Fix: Height in smallmap was different from measured heights [FS#3808] (r19767)
- Fix: [NewGRF] Vehicle var 43 missed AI information in purchase list (r19761)
- Fix: Blocked roadvehicles should first check whether they are still blocked before accelerating again, instead of continuous starting/stopping (r19755)
- Fix: Try harder to find a suitable font that can be loaded, i.e. while searching for a suitable font test whether you can open it [FS#3740] (r19753)
- Fix: Make sure the chat area fits in the default window size; if you want it larger, you can always change/override it in the config file [FS#3798] (r19751)
- Fix: [NewGRF] Industry var 0x43 is not 'safe' during callbacks 22 and 38 either (r19750)
- Fix: [NewGRF] Possible divide-by-zero if a NewGRF checked industry var 42 while the production level was 0 (r19749)
- Fix: Do not recenter usually centered windows when resizing main window or changing language, if they have been moved/resized before [FS#3675] (r19746)
- Fix: The GUI is controlled by _local_company, not _current_company (r19745)
- Fix: NewGRFs could access map bits of not yet constructed industries and houses during construction callbacks (r19748, r19743)
- Fix: [NewGRF] Passing some invalid data to industry variable 67/68 could cause a crash (r19713)
- Fix: Check for industry availability more thoroughly and cancel object placement when selecting not available industries [FS#3787] (r19701)
- Fix: Avoid showing building toolbars behind the main toolbar when the 'Link landscape toolbar' setting is active [FS#3781] (r19696)
- Fix: Under some circumstances the player's name could be empty (r19693)
- Fix: Do not show an error message when trying to give another client an amount of 0 money [FS#3779] (r19684)
- Fix: Do not display an error message when double clicking on a vehicle in the 'available vehicles'-window (r19669)
- Change: Name invalid engines, cargos and industries 'invalid', if the player removed the supplying NewGRFs, hide invalid engines from the purchase list (r19879, r19877)

Revision history for this message

Alessio Treglia (quadrispro) wrote on 2010-09-08:

Available in Maverick. Closing.

Changed in openttd (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenttd package

Please update to 1.0.3

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
openttd package