[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[liquidwar-user] [Fwd: Liquid War 5.6.4 - buffer overflow, possible secu
|
From: |
Christian Mauduit |
|
Subject: |
[liquidwar-user] [Fwd: Liquid War 5.6.4 - buffer overflow, possible security advisory] |
|
Date: |
Fri, 31 Jul 2009 08:04:28 +0200 (CEST) |
|
User-agent: |
SquirrelMail/1.4.15 |
Hi all,
FYI, a potential security flaw has been found in LW5, reported by Mikhail
Yakshin. Description follows:
--------8<----------------------------------------------------------------
---------------------------- Original Message ----------------------------
Subject: Liquid War 5.6.4 - buffer overflow, possible security advisory
From: "Mikhail Yakshin"
Date: Wed, July 22, 2009 2:44 pm
To: address@hidden
--------------------------------------------------------------------------
Hi Christian,
I'm a maintainer of Liquid War in ALT Linux. I think I've found a
buffer overflow bug in Liquid War metaserver client code. The patch is
basically the following:
--- src/wwwsrv.c~ 2007-10-18 00:00:50 +0400
+++ src/wwwsrv.c 2009-07-21 11:18:26 +0400
@@ -104,8 +104,8 @@
data->port = port;
data->busy_players = busy_players;
data->max_players = max_players;
- strncpy (data->password, password, URL_SIZE);
- strncpy (data->comment, comment, URL_SIZE);
+ strncpy (data->password, password, PASSWORD_SIZE);
+ strncpy (data->comment, comment, COMMENT_SIZE);
}
/*------------------------------------------------------------------*/
Looks like it was a copy-paste work: data->password is really
PASSWORD_SIZE chars long (20) and it might be overwritten with data of
URL_SIZE chars long (300). The same with COMMENT_SIZE (100) < URL_SIZE
(300).
--
WBR, Mikhail Yakshin
--------8<----------------------------------------------------------------
This patch has been applied to the main source tree (code source on Arch,
the path is here:
http://arch.savannah.gnu.org/archives/liquidwar/liquidwar/liquidwar--stable/liquidwar--stable--6.5/patch-11/
) and upcoming release 5.6.5 will include this patch. Should be released
end of 2009, or beginning of 2010. Depends on how much time LW6
development takes ;)
This security flaw is not critical-critical, one still has to build an
exploit, and since there's still a strncpy with 300 as an arg, one has to
find a "less than 300 chars exploit", which might be uneasy. But still, it
should be doable, so it's good to be aware of it.
One way to avoid the vulnerability is either to apply the patch above, or,
at your option, run the server with the "-private" option (you might also
answer "n" to the question "Register on "www.ufoot.org/metaserver/"
(y/n)?").
Have a nice day,
Christian.
--
Christian Mauduit <address@hidden> - http://www.ufoot.org/ ___ __/\__
Liquid War 6 - http://www.gnu.org/software/liquidwar6/ / _")\~ \~/
"Les amis de la vérité sont ceux qui la cherchent et non _/ / /_ o_\
ceux qui se vantent de l'avoir trouvée" - Condorcet (__/ \/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [liquidwar-user] [Fwd: Liquid War 5.6.4 - buffer overflow, possible security advisory],
Christian Mauduit <=