Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
Summary: Remote termination security issue Product: Fedora Extras Version: fc5 Platform: All URL: http://www.securityfocus.com/archive/1/434908/30/0/threa ded OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: netpanzer AssignedTo: hugo@devin.com.br ReportedBy: tibbs@math.uh.edu QAContact: extras-qa@fedoraproject.org CC: extras-qa@fedoraproject.org,fedora-security- list@redhat.com
The netPanzer server is subject to a DOS; it can be made to crash remotely.
Versions 0.8 and lower are vulnerable.
http://www.securityfocus.com/archive/1/434908/30/0/threaded
A CVE has not yet been assigned for this issue.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
------- Additional Comments From jkosin@beta.intcomgrp.com 2006-05-24 13:11 EST ------- I'm not sure if I'd call a game that terminates unexpectedly a security risk.
But, to fix we should probably find out what values for FrameNum are acceptable and who is causing the problem to fail the ASSERT().
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
------- Additional Comments From tibbs@math.uh.edu 2006-05-24 13:17 EST ------- (In reply to comment #1)
I'm not sure if I'd call a game that terminates unexpectedly a security risk.
Any less than we'd call a web server that terminates unexpectedly a security risk? But hey, if folks want to agree that we don't add remote termination issues for "noncritical" applications (along with a definition of just what is considered noncritical) then I'll abide by that. Does the perception change if a CVE is issued?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
------- Additional Comments From hugo@devin.com.br 2006-05-24 17:37 EST ------- Any fixes would be good to include. I'm currently watching this issue, as I am not a good programmer, I can't look at the source code at the time. However I'll try to make some efforts on this. If you have any updates, tell me. Regarding bug #192990, I'll look, make a patch from svn and update the release. Thanks for the attention.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2575 Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
bressers@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Remote termination security |CVE-2006-2575 Remote |issue |termination security issue
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2575 Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
------- Additional Comments From j.w.r.degoede@hhs.nl 2006-06-06 14:16 EST ------- Created an attachment (id=130628) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130628&action=vie...) Patch fixing this CVE
Since no-one else was doing it I've taken a look at this, with as a result the attached patch which fixes this.
I confirmed the crash with the exploit given in the URL above, and checked that it no longer crashes with this patch.
I however didnot check if this influences play in anyway, someone who actually plays the game should test this, especially the flag selection for a player. Although I believe that there should be no influence.
p.s.
Whats going on with getting the fix for the other vulnerability from SVN?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2575 Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
hugo@devin.com.br changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.8-4
------- Additional Comments From hugo@devin.com.br 2006-06-09 11:44 EST ------- Thanks Hans, I've applied your patch and it works fine! (Tested too)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2006-2575 Remote termination security issue
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983
hugo@devin.com.br changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.8-4
------- Additional Comments From hugo@devin.com.br 2006-06-14 09:17 EST ------- Package fixed. Closing. Thanks!
security@lists.fedoraproject.org
-
Red Hat Bugzilla