Public bug reported:
Binary package hint: openttd
>From the Debian bug:
OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
exploitable buffer overflow when the server is filled with companies and
clients with names that are (near) the maximum allowed length for names.
In the worst case OpenTTD will write the following (mostly remotely
changable bytes) into 1460 bytes of malloc-ed memory:
up to 11 times (amount of players) 118 bytes
up to 8 times (amount of companies) 124 bytes
and 7 "header" bytes
Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
memory. This makes it possible to remotely crash the game or change the
gamestate into an unrecoverable state.
There are three ways of fixing this:
- upgrading to 0.6.2.
- backporting the bugfixes to 0.6.1 and make a network-incompatible version
of OpenTTD which makes it impossible to participate in multiplayer games
with both Debian and non-Debian users.
- increase the allocation size, which will make it even network incompatible
with itself.
I'm not sure what, if anything, we want to do about this.
** Affects: openttd (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: openttd (Ubuntu Hardy)
Importance: Undecided
Status: New
** Affects: openttd (Debian)
Importance: Unknown
Status: Unknown
--
CVE-2008-3547: Network exploitable buffer overrun in openttd < 0.6.2
https://bugs.launchpad.net/bugs/261373
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
