Bug 8623

Summary: freeciv new security issues CVE-2012-5645 and CVE-2012-6083
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: lists.jjorge, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/531754/
Whiteboard: has_procedure mga2-32-OK mga2-64-OK
Source RPM: freeciv-2.3.1-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-01-07 21:19:19 CET 
Fedora has issued an advisory on December 19:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095378.html

The issue is fixed upstream in 2.3.3 (which we have in Cauldron).

The RedHat bug links the upstream change that fixed it:
https://bugzilla.redhat.com/show_bug.cgi?id=888331
David Walser 2013-01-07 21:19:34 CET

CC: (none) => lists.jjorge

David Walser 2013-01-07 21:19:48 CET

Assignee: bugsquad => lists.jjorge

Comment 1 David Walser 2013-01-10 20:12:31 CET 
The RedHat bug has some misinformation.  The fix they linked is actually CVE-2012-6083, and the fix for CVE-2012-5645 was in a different commit.  Debian has the details here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696306

Summary: freeciv new security issue CVE-2012-5645 => freeciv new security issues CVE-2012-5645 and CVE-2012-6083

Comment 2 David Walser 2013-01-10 20:22:43 CET 
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated freeciv packages fix security vulnerabilities:

Malformed network packets could cause denial of service (memory exhaustion or
CPU-bound loop) in Freeciv before 2.3.3 (CVE-2012-5645, CVE-2012-6083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6083
http://freeciv.wikia.com/wiki/NEWS-2.3.3
========================

Updated packages in core/updates_testing:
========================
freeciv-data-2.3.1-1.2.mga2
freeciv-client-2.3.1-1.2.mga2
freeciv-server-2.3.1-1.2.mga2

from freeciv-2.3.1-1.2.mga2.src.rpm

Assignee: lists.jjorge => qa-bugs

Comment 3 claire robinson 2013-01-14 14:37:31 CET 
Probable PoC: http://aluigi.org/poc/freecivet.zip
Comment 4 claire robinson 2013-01-14 15:16:29 CET 
Testing complete mga2 32

Extracted freecivet.c

Compiled with

$ gcc -o freecivet freecivet.c
$ ./freecivet

Freeciv <= 2.2.1 Denials of Service 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org


Usage: ./freecivet <bug> <host> [port(5556)]

Bugs:
 1 = malloc exception
 2 = endless loop

Before
------

Started freeciv and started a local game so it started the server.
Confirmed the malloc crash using the command below..

./freecivet 1 localhost 5556

Changing the bug to 2 didn't seem to have any effect, unless it consumes resources very slowly but I can't see anything here under 'top'.

After
-----
PoC has no effect

Hardware: i586 => All
Whiteboard: (none) => has_procedure mga2-32-OK

Comment 5 claire robinson 2013-01-14 15:37:12 CET 
Testing complete mga2 64

Testing as above.

Not sure what I'm doing with the game but clicking the Turn Done button changes the year each time.

Validating

Advisory & SRPM in comment 2

Could sysadmin please push fro core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-32-OK => has_procedure mga2-32-OK mga2-64-OK

Comment 6 Thomas Backlund 2013-01-14 22:25:34 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0005

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED