rpms/alienarena/F-11 alienarena-7.33-R1-client-buffer-overflow.patch, NONE, 1.1 alienarena-security-sv_user-fix.patch, NONE, 1.1 alienarena.spec, 1.16, 1.17
Tom Callaway
spot at fedoraproject.org
Tue Apr 6 16:02:17 UTC 2010
- Previous message: rpms/upower/F-13 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 upower.spec, 1.1, 1.2
- Next message: rpms/alienarena/F-12 alienarena-7.33-R1-client-buffer-overflow.patch, NONE, 1.1 alienarena-security-sv_user-fix.patch, NONE, 1.1 alienarena.spec, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: spot
Update of /cvs/pkgs/rpms/alienarena/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv29298/F-11
Modified Files:
alienarena.spec
Added Files:
alienarena-7.33-R1-client-buffer-overflow.patch
alienarena-security-sv_user-fix.patch
Log Message:
security fixes
alienarena-7.33-R1-client-buffer-overflow.patch:
menu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- NEW FILE alienarena-7.33-R1-client-buffer-overflow.patch ---
diff -up alienarena-7.33/source/client/menu.c.BAD alienarena-7.33/source/client/menu.c
--- alienarena-7.33/source/client/menu.c.BAD 2010-04-06 11:12:38.098874822 -0400
+++ alienarena-7.33/source/client/menu.c 2010-04-06 11:15:46.511873232 -0400
@@ -6119,7 +6119,9 @@ qboolean PlayerConfig_MenuInit( void )
if ( hand->value < 0 || hand->value > 2 )
Cvar_SetValue( "hand", 0 );
- strcpy( currentdirectory, skin->string );
+ Q_strncpyz( currentdirectory, Cvar_VariableString ("skin"), sizeof(currentdirectory)-1);
+ // Richard Stanway's Q1 code says there is a buffer overflow here.
+ // strcpy( currentdirectory, skin->string );
if ( strchr( currentdirectory, '/' ) )
{
alienarena-security-sv_user-fix.patch:
sv_user.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- NEW FILE alienarena-security-sv_user-fix.patch ---
--- trunk/source/server/sv_user.c 2007/10/19 15:39:07 673
+++ trunk/source/server/sv_user.c 2010/04/01 04:52:26 1685
@@ -323,6 +323,7 @@
extern cvar_t *allow_download_sounds;
extern cvar_t *allow_download_maps;
extern int file_from_pak; // ZOID did file come from pak?
+ int name_length; // For getting the final character.
int offset = 0;
name = Cmd_Argv(1);
@@ -333,6 +334,10 @@
// hacked by zoid to allow more conrol over download
// first off, no .. or global allow check
if (strstr (name, "..") || !allow_download->value
+ // prevent config downloading on Win32 systems
+ || name[0] == '\\'
+ // negative offset causes crashing
+ || offset < 0
// leading dot is no good
|| *name == '.'
// leading slash bad as well, must be in subdir
@@ -354,6 +359,10 @@
return;
}
+ // If the name ends in a slash or dot, hack it off. Continue to do so just
+ // in case some tricky fellow puts multiple slashes or dots.
+ while (name[(name_length = strlen(name))] == '.' || name[name_length] == '/' )
+ name[name_length] = '\0';
if (sv_client->download)
FS_FreeFile (sv_client->download);
Index: alienarena.spec
===================================================================
RCS file: /cvs/pkgs/rpms/alienarena/F-11/alienarena.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- alienarena.spec 5 Mar 2010 18:40:36 -0000 1.16
+++ alienarena.spec 6 Apr 2010 16:02:17 -0000 1.17
@@ -1,7 +1,7 @@
Name: alienarena
Summary: Multiplayer retro sci-fi deathmatch game
Version: 7.32
-Release: 2%{?dist}.1
+Release: 3%{?dist}
License: GPLv2+
Group: Amusements/Games
# Subversion: https://svn.icculus.org/alienarena/trunk/?sortby=date
@@ -21,6 +21,11 @@ Patch0: alienarena-7.20-currentdir-opti
Patch1: alienarena-7.10-dont-search-dll-in-data-path.patch
Patch3: alienarena-7.21-show-search-paths.patch
Patch4: alienarena-7.32-dga-compile-fix.patch
+# Taken from upstream SVN
+# http://svn.icculus.org/alienarena/trunk/source/server/sv_user.c?view=patch&r1=673&r2=1685&pathrev=1685
+Patch5: alienarena-security-sv_user-fix.patch
+# Identified as an issue in Richard Stanway's R1Q2 fork
+Patch6: alienarena-7.33-R1-client-buffer-overflow.patch
URL: http://red.planetarena.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel, libXext-devel, libXxf86dga-devel, libXxf86vm-devel, libjpeg-devel
@@ -59,6 +64,11 @@ This is the dedicated server.
%patch3 -p1
%patch4 -p1
+# fix DOS with invalid parameters sent to download command
+%patch5 -p1
+# Fix buffer overflow in client
+%patch6 -p1 -b .R1
+
# Copy license clarification for acebot
cp -p %{SOURCE2} .
@@ -153,6 +163,14 @@ gtk-update-icon-cache -qf %{_datadir}/ic
%changelog
+* Tue Apr 6 2010 Tom "spot" Callaway <tcallawa at redhat.com> - 7.32-3
+- fix security issues identified in bz 577810
+ - By supplying various invalid parameters to the download command,
+ it is possible to cause a DoS condition by causing the server to
+ crash. A path ending in . or / will crash on Linux. Supplying
+ a negative offset will cause a crash on all platforms.
+ - Fix buffer overflow identified in R1Q2 client code
+
* Fri Mar 5 2010 Tom "spot" Callaway <tcallawa at redhat.com> - 7.32-2.1
- include patch4
- Previous message: rpms/upower/F-13 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 upower.spec, 1.1, 1.2
- Next message: rpms/alienarena/F-12 alienarena-7.33-R1-client-buffer-overflow.patch, NONE, 1.1 alienarena-security-sv_user-fix.patch, NONE, 1.1 alienarena.spec, 1.16, 1.17
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list