CVE-2008-3547: Network exploitable buffer overrun in openttd < 0.6.2
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openttd (Debian) |
Fix Released
|
Unknown
|
|||
| openttd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: openttd
From the Debian bug:
OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
exploitable buffer overflow when the server is filled with companies and
clients with names that are (near) the maximum allowed length for names.
In the worst case OpenTTD will write the following (mostly remotely
changable bytes) into 1460 bytes of malloc-ed memory:
up to 11 times (amount of players) 118 bytes
up to 8 times (amount of companies) 124 bytes
and 7 "header" bytes
Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
memory. This makes it possible to remotely crash the game or change the
gamestate into an unrecoverable state.
There are three ways of fixing this:
- upgrading to 0.6.2.
- backporting the bugfixes to 0.6.1 and make a network-
of OpenTTD which makes it impossible to participate in multiplayer games
with both Debian and non-Debian users.
- increase the allocation size, which will make it even network incompatible
with itself.
I'm not sure what, if anything, we want to do about this.
| Chris Halse Rogers (raof) wrote | #1 |
| Changed in openttd: | |
| status: | New → Fix Released |
| Changed in openttd: | |
| status: | Unknown → Fix Released |
| Daniel T Chen (crimsun) wrote | #2 |
| Rolf Leggewie (r0lf) wrote | #3 |
| Changed in openttd (Ubuntu Hardy): | |
| status: | New → Won't Fix |
Intrepid has 0.6.2