diff -u alien-arena-7.0/debian/changelog alien-arena-7.0/debian/changelog --- alien-arena-7.0/debian/changelog +++ alien-arena-7.0/debian/changelog @@ -1,3 +1,12 @@ +alien-arena (7.0-1+lenny2) stable-proposed-updates; urgency=high + + * Non-maintainer upload. + * Fix a client buffer overflow vulnerability. + * Fix a server denial-of-service issue: clients were able crash the server + with a malformed "download" command (closes: #575621). + + -- Michael Gilbert Sun, 18 Apr 2010 18:31:52 -0400 + alien-arena (7.0-1+lenny1) stable-proposed-updates; urgency=low * Non-maintainer upload by the security team. diff -u alien-arena-7.0/debian/patches/series alien-arena-7.0/debian/patches/series --- alien-arena-7.0/debian/patches/series +++ alien-arena-7.0/debian/patches/series @@ -8,0 +9,2 @@ +fix-server-dos.patch +fix-client-buffer-overflow.patch only in patch2: unchanged: --- alien-arena-7.0.orig/debian/patches/fix-server-dos.patch +++ alien-arena-7.0/debian/patches/fix-server-dos.patch @@ -0,0 +1,35 @@ +Index: source/server/sv_user.c +Description: the server can be crashed from clients executing malformed download commands. this patch fixes that. +=================================================================== +--- a/source/server/sv_user.c (revision 1684) ++++ b/source/server/sv_user.c (revision 1685) +@@ -323,6 +323,7 @@ + extern cvar_t *allow_download_sounds; + extern cvar_t *allow_download_maps; + extern int file_from_pak; // ZOID did file come from pak? ++ int name_length; // For getting the final character. + int offset = 0; + + name = Cmd_Argv(1); +@@ -333,6 +334,10 @@ + // hacked by zoid to allow more conrol over download + // first off, no .. or global allow check + if (strstr (name, "..") || !allow_download->value ++ // prevent config downloading on Win32 systems ++ || name[0] == '\\' ++ // negative offset causes crashing ++ || offset < 0 + // leading dot is no good + || *name == '.' + // leading slash bad as well, must be in subdir +@@ -354,6 +359,10 @@ + return; + } + ++ // If the name ends in a slash or dot, hack it off. Continue to do so just ++ // in case some tricky fellow puts multiple slashes or dots. ++ while (name[(name_length = strlen(name))] == '.' || name[name_length] == '/' ) ++ name[name_length] = '\0'; + + if (sv_client->download) + FS_FreeFile (sv_client->download); only in patch2: unchanged: --- alien-arena-7.0.orig/debian/patches/fix-client-buffer-overflow.patch +++ alien-arena-7.0/debian/patches/fix-client-buffer-overflow.patch @@ -0,0 +1,15 @@ +Description: fix a client buffer overflow +diff -up alienarena-7.33/source/client/menu.c.BAD alienarena-7.33/source/client/menu.c +--- alienarena-7.33/source/client/menu.c.BAD 2010-04-06 11:12:38.098874822 -0400 ++++ alienarena-7.33/source/client/menu.c 2010-04-06 11:15:46.511873232 -0400 +@@ -6119,7 +6119,9 @@ qboolean PlayerConfig_MenuInit( void ) + if ( hand->value < 0 || hand->value > 2 ) + Cvar_SetValue( "hand", 0 ); + +- strcpy( currentdirectory, skin->string ); ++ Q_strncpyz( currentdirectory, Cvar_VariableString ("skin"), sizeof(currentdirectory)-1); ++ // Richard Stanway's Q1 code says there is a buffer overflow here. ++ // strcpy( currentdirectory, skin->string ); + + if ( strchr( currentdirectory, '/' ) ) + {