rpms/alienarena/F-12 alienarena-7.33-R1-client-buffer-overflow.patch, NONE, 1.1 alienarena-security-sv_user-fix.patch, NONE, 1.1 alienarena.spec, 1.16, 1.17

Tom Callaway spot at fedoraproject.org
Tue Apr 6 16:02:19 UTC 2010 

Author: spot

Update of /cvs/pkgs/rpms/alienarena/F-12
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv29298/F-12

Modified Files:
	alienarena.spec 
Added Files:
	alienarena-7.33-R1-client-buffer-overflow.patch 
	alienarena-security-sv_user-fix.patch 
Log Message:
security fixes

alienarena-7.33-R1-client-buffer-overflow.patch:
 menu.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- NEW FILE alienarena-7.33-R1-client-buffer-overflow.patch ---
diff -up alienarena-7.33/source/client/menu.c.BAD alienarena-7.33/source/client/menu.c
--- alienarena-7.33/source/client/menu.c.BAD	2010-04-06 11:12:38.098874822 -0400
+++ alienarena-7.33/source/client/menu.c	2010-04-06 11:15:46.511873232 -0400
@@ -6119,7 +6119,9 @@ qboolean PlayerConfig_MenuInit( void )
 	if ( hand->value < 0 || hand->value > 2 )
 		Cvar_SetValue( "hand", 0 );
 
-	strcpy( currentdirectory, skin->string );
+	Q_strncpyz( currentdirectory, Cvar_VariableString ("skin"), sizeof(currentdirectory)-1);
+	// Richard Stanway's Q1 code says there is a buffer overflow here.
+	// strcpy( currentdirectory, skin->string );
 
 	if ( strchr( currentdirectory, '/' ) )
 	{

alienarena-security-sv_user-fix.patch:
 sv_user.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- NEW FILE alienarena-security-sv_user-fix.patch ---
--- trunk/source/server/sv_user.c	2007/10/19 15:39:07	673
+++ trunk/source/server/sv_user.c	2010/04/01 04:52:26	1685
@@ -323,6 +323,7 @@
 	extern	cvar_t *allow_download_sounds;
 	extern	cvar_t *allow_download_maps;
 	extern	int		file_from_pak; // ZOID did file come from pak?
+	int		name_length; // For getting the final character.
 	int offset = 0;
 
 	name = Cmd_Argv(1);
@@ -333,6 +334,10 @@
 	// hacked by zoid to allow more conrol over download
 	// first off, no .. or global allow check
 	if (strstr (name, "..") || !allow_download->value
+		// prevent config downloading on Win32 systems
+		|| name[0] == '\\'
+		// negative offset causes crashing
+		|| offset < 0
 		// leading dot is no good
 		|| *name == '.' 
 		// leading slash bad as well, must be in subdir
@@ -354,6 +359,10 @@
 		return;
 	}
 
+	// If the name ends in a slash or dot, hack it off. Continue to do so just
+    // in case some tricky fellow puts multiple slashes or dots.
+    while (name[(name_length = strlen(name))] == '.' || name[name_length] == '/' )
+        name[name_length] = '\0';
 
 	if (sv_client->download)
 		FS_FreeFile (sv_client->download);


Index: alienarena.spec
===================================================================
RCS file: /cvs/pkgs/rpms/alienarena/F-12/alienarena.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- alienarena.spec	9 Nov 2009 07:37:27 -0000	1.16
+++ alienarena.spec	6 Apr 2010 16:02:19 -0000	1.17
@@ -1,7 +1,7 @@
 Name:		alienarena
 Summary: 	Multiplayer retro sci-fi deathmatch game
 Version:	7.32
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	GPLv2+
 Group:		Amusements/Games
 # Subversion:  https://svn.icculus.org/alienarena/trunk/?sortby=date
@@ -21,6 +21,11 @@ Patch0:		alienarena-7.20-currentdir-opti
 Patch1:		alienarena-7.10-dont-search-dll-in-data-path.patch
 Patch3:		alienarena-7.21-show-search-paths.patch
 Patch4:		alienarena-7.32-dga-compile-fix.patch
+# Taken from upstream SVN
+# http://svn.icculus.org/alienarena/trunk/source/server/sv_user.c?view=patch&r1=673&r2=1685&pathrev=1685
+Patch5:		alienarena-security-sv_user-fix.patch
+# Identified as an issue in Richard Stanway's R1Q2 fork
+Patch6:		alienarena-7.33-R1-client-buffer-overflow.patch
 URL:		http://red.planetarena.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	libX11-devel, libXext-devel, libXxf86dga-devel, libXxf86vm-devel, libjpeg-devel
@@ -59,6 +64,11 @@ This is the dedicated server.
 %patch3 -p1
 %patch4 -p1
 
+# fix DOS with invalid parameters sent to download command
+%patch5 -p1
+# Fix buffer overflow in client
+%patch6 -p1 -b .R1
+
 # Copy license clarification for acebot
 cp -p %{SOURCE2} .
 
@@ -153,6 +163,17 @@ gtk-update-icon-cache -qf %{_datadir}/ic
 
 
 %changelog
+* Tue Apr  6 2010 Tom "spot" Callaway <tcallawa at redhat.com> - 7.32-3
+- fix security issues identified in bz 577810
+ - By supplying various invalid parameters to the download command,
+   it is possible to cause a DoS condition by causing the server to
+   crash. A path ending in . or / will crash on Linux. Supplying
+   a negative offset will cause a crash on all platforms.
+ - Fix buffer overflow identified in R1Q2 client code
+
+* Fri Mar  5 2010 Tom "spot" Callaway <tcallawa at redhat.com> - 7.32-2.1
+- include patch4
+
 * Sat Nov  7 2009 Hans de Goede <hdgoede at redhat.com> - 7.32-2
 - dlopen openal.so.x, not openal.so.x.y. this fixes a crash on startup when
   the openal minor version has changed

More information about the scm-commits mailing list