Re: CVE id request: openttd

[Robert Buchholz <rbu () gentoo org>]

On Monday 04 August 2008, Nico Golde wrote:
> "OpenTTD servers of version 0.6.1 and below are susceptible to a
> remotely exploitable buffer overflow when the server is filled with
> companies and clients with names that are (near) the maximum allowed
> length for names. In the worst case OpenTTD will write the following
> (mostly remotely changable bytes) into 1460 bytes of malloc-ed
> memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of
> malloc-ed memory. This makes it possible to remotely crash the game
> or change the gamestate into an unrecoverable state.  "
>
> This is Debian bug #493714.
>
> I didn't yet have the time to check the diff between the versions.

Secunia interpreted [1] the "remotely exploitable buffer overflows" 
mentioned in the changelog [2] to be a "boundary error within 
the "TruncateString()" function in src/gfx.cpp". This would be the 
following patch [3]. However, this would overwrite the buffer by max. 2 
bytes, and does not match your bug description too well. Is this maybe 
r13712 [4] ?

Robert


[1] http://secunia.com/advisories/31350/
[2] http://sourceforge.net/project/shownotes.php?release_id=617243
[3] https://bugs.gentoo.org/attachment.cgi?id=162239
[4] svn diff -c 13712 svn://svn.openttd.org/trunk

Attachment: signature.asc
Description: This is a digitally signed message part.