Bug 6981

Summary: openttd new security issue CVE-2012-3436
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, jani.valimaa, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://security.openttd.org/en/CVE-2012-3436
Whiteboard: MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK MGA1-64-OK
Source RPM: openttd CVE:
Status comment:

Description David Walser 2012-08-07 21:46:03 CEST 
Debian has issued an advisory on August 6:
http://www.debian.org/security/2012/dsa-2524

Mageia 1 and 2 are affected by CVE-2012-3436.

Mageia 2 is probably not affected by CVE-2012-0049, which was fixed in 1.1.5.

CVE-2012-0049 was also previously fixed in a Fedora advisory from January 17:
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072508.html

Another "slow read attack" was fixed in that update as well, which was also fixed upstream in 1.1.5.  There doesn't seem to be an upstream commit link for that one, so for Mageia 1 it might be best to update to 1.1.5.

For the CVEs, there are links to the upstream commits in the RedHat bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=782179
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3436
David Walser 2012-08-07 21:46:12 CEST

CC: (none) => jani.valimaa

David Walser 2012-08-07 21:46:19 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 Jani Välimaa 2012-08-07 22:18:11 CEST 
Pushed new release to mga2 core/updates_testing which fixes CVE-2012-3436.

[1] openttd-1.2.1-2.mga2

See also: http://security.openttd.org/en/CVE-2012-3436
Comment 2 Jani Välimaa 2012-08-07 22:31:20 CEST 
CVE-2012-0049 is already fixed in mga1.

Pushed new release [1] also to mga1 core/updates_testing which fixes CVE-2012-3436.

[1] openttd-1.1.0-1.3.mga1
Comment 3 Jani Välimaa 2012-08-07 22:37:40 CEST 
Please test new releases from core/updates_testing for mga1 and mga2.

New releases fixes CVE-2012-3436: Denial of service (server) using ships on half tiles and landscaping.

More info and simple steps to reproduce in upstream security tracker: http://security.openttd.org/en/CVE-2012-3436

Assignee: bugsquad => qa-bugs

Jani Välimaa 2012-08-07 22:49:45 CEST

Summary: openttd new security issues CVE-2012-0049 and CVE-2012-3436 => openttd new security issues CVE-2012-3436

Jani Välimaa 2012-08-07 22:50:42 CEST

URL: http://lwn.net/Vulnerabilities/478084/ => http://security.openttd.org/en/CVE-2012-3436
Source RPM: openttd-1.1.0-1.1.mga1.src.rpm => openttd

Samuel Verschelde 2012-08-07 22:56:08 CEST

CC: (none) => stormi
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 4 Samuel Verschelde 2012-08-07 22:57:59 CEST 
Testing procedure: try to reproduce the issue following the steps in the link from comment #3 (before and after the update) + make sure you can start a new game, play it for a few minutes, and save/load a game.

Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 5 David Walser 2012-08-07 23:00:52 CEST 
(In reply to comment #2)
> CVE-2012-0049 is already fixed in mga1.

How so?  The changelog for the previously issued update only lists:
  o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
  o CVE-2011-3342 (Buffer overflows in savegame loading)
  o CVE-2011-3341 (Denial of service via improperly validated commands)
Comment 6 Jani Välimaa 2012-08-07 23:02:58 CEST 
(In reply to comment #5)
> (In reply to comment #2)
> > CVE-2012-0049 is already fixed in mga1.
> 
> How so?  The changelog for the previously issued update only lists:
>   o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
>   o CVE-2011-3342 (Buffer overflows in savegame loading)
>   o CVE-2011-3341 (Denial of service via improperly validated commands)

Sun Jan 15 2012 wally <wally> 1.1.0-1.2.mga1

+ Revision: 196505
- fix CVE-2012-0049 (Denial of service (server) via slow read attack)
Comment 7 David Walser 2012-08-07 23:04:12 CEST 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #2)
> > > CVE-2012-0049 is already fixed in mga1.
> > 
> > How so?  The changelog for the previously issued update only lists:
> >   o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
> >   o CVE-2011-3342 (Buffer overflows in savegame loading)
> >   o CVE-2011-3341 (Denial of service via improperly validated commands)
> 
> Sun Jan 15 2012 wally <wally> 1.1.0-1.2.mga1
> 
> + Revision: 196505
> - fix CVE-2012-0049 (Denial of service (server) via slow read attack)

Oh whoops, ok I looked at the wrong update :o)  Thanks.

Summary: openttd new security issues CVE-2012-3436 => openttd new security issue CVE-2012-3436

Comment 8 Dave Hodgins 2012-08-08 03:48:57 CEST 
I couldn't get the crash to happen, as it wouldn't let me
put tracks on a square with part of it in water.

As the game is working, with no obvious regressions, I consider
testing complete on Mageia 2 i586.

Couldn't figure out how to change the font size, despite
editing the numbers in ~/.openttd/openttd.cfg, so had to
use kmag to be able to read the text.

I'll test Mageia 2 x86-64 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA2-32-OK

Comment 9 Dave Hodgins 2012-08-08 04:16:02 CEST 
Testing complete on Mageia 2 x86-64.

I'll test Mageia 1 shortly.

Whiteboard: MGA1TOO has_procedure MGA2-32-OK => MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK

Comment 10 Dave Hodgins 2012-08-08 04:43:31 CEST 
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
openttd-1.2.1-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
openttd-1.1.0-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory:  This security update for openttd corrects CVE-2012-0049
(Denial of service (server) via slow read attack).

https://bugs.mageia.org/show_bug.cgi?id=6981

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA2-32-OK MGA2-64-OK MGA1-32-OK MGA1-64-OK

Comment 11 Jani Välimaa 2012-08-08 08:22:47 CEST 
(In reply to comment #10)
> 
> Advisory:  This security update for openttd corrects CVE-2012-0049
> (Denial of service (server) via slow read attack).
> 
> https://bugs.mageia.org/show_bug.cgi?id=6981

Oopsie, CVE-2012-0049 was fixed earlier.

This security update fixes CVE-2012-3436 (Denial of service (server) using ships on half tiles and landscaping).
Comment 12 David Walser 2012-08-08 14:10:11 CEST 
(In reply to comment #11)
> (In reply to comment #10)
> > 
> > Advisory:  This security update for openttd corrects CVE-2012-0049
> > (Denial of service (server) via slow read attack).
> > 
> > https://bugs.mageia.org/show_bug.cgi?id=6981
> 
> Oopsie, CVE-2012-0049 was fixed earlier.
> 
> This security update fixes CVE-2012-3436 (Denial of service (server) using
> ships on half tiles and landscaping).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3436
http://security.openttd.org/en/CVE-2012-3436
http://www.debian.org/security/2012/dsa-2524
Comment 13 Dave Hodgins 2012-08-09 04:54:49 CEST 
Just confirming to sysadmin team, this update is ready to
push.  I just copied the wrong advisory from above.

Could someone from the sysadmin team push the srpm
openttd-1.2.1-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
openttd-1.1.0-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: This security update fixes CVE-2012-3436 (Denial of
service (server) using ships on half tiles and landscaping).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3436
http://security.openttd.org/en/CVE-2012-3436
http://www.debian.org/security/2012/dsa-2524

https://bugs.mageia.org/show_bug.cgi?id=6981
Comment 14 Thomas Backlund 2012-08-12 21:18:19 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0212

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED