Debian has issued an update for this, and describes it as a remotely exploitable buffer overflow vulnerability. Mageia 1 and Cauldron are affected. Fixing this is currently blocked by a build error on Cauldron. In Mageia, plib is complied into the packages that use it, so for this to be fixed, they will need to be rebuilt. Those packages are: - torcs - flightgear - speed-dreams - tuxkart - tux_aqfh Additionally, supertuxkart was forked from tuxkart and switched its build dependency from plib to irrlicht, which contains code that looks just like the affected code in plib, just with changed variable names. This should probably be patched as well. In this case, supertuxkart is dynamically linked to irrlicht, so rebuilding supertuxkart would not be required. Finally, it looks like in Debian that plib is built as a library and that the software using plib in Debian is dynamically linked to that library, rather than having it complied in. It would be nice if we could do the same in Cauldron at some point. References: http://www.debian.org/security/2012/dsa-2425.en.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620
Created attachment 1910 [details] plib-1.8.5-CVE-2011-4620.diff
Created attachment 1911 [details] patch for similar code in irrlicht
Blocks: (none) => 5046
CC: (none) => stormi
OK it builds in Cauldron now. On Mageia 1 it builds with mesaglut which pulls in libxmu-devel as a dependency, but on Cauldron it builds with freeglut which does not. I have submitted updated plib and irrlicht packages for Cauldron. All that needs done there is rebuilding the 5 packages that use plib. Mageia 1 hasn't been addressed yet.
The 5 packages in Cauldron have been rebuilt.
Blocks: 5046 => (none)
For Mageia 1, there is only torcs, flightgear, supertuxkart, and tuxkart. In Mageia 1, supertuxkart was built with plib (hadn't switched to irrlicht yet).
Patched (plib) and rebuilt (games) package uploaded. Note to QA, the affected code is used for printing error messages. Advisory: ======================== Updated plib and other packages fix security vulnerability: Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted remote attackers to execute arbitrary code via vectors involving a long error message, as demonstrated by a crafted acc file for TORCS (CVE-2011-4620). The torcs, flightgear, supertuxkart, and tuxkart packages have been rebuilt with the fixed plib library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620 http://www.debian.org/security/2012/dsa-2425.en.html ======================== Updated packages in core/updates_testing: ======================== plib-devel-1.8.5-3.1.mga1 torcs-1.3.1-7.1.mga1 torcs-robots-base-1.3.1-7.1.mga1 torcs-robots-berniw-1.3.1-7.1.mga1 torcs-robots-bt-1.3.1-7.1.mga1 torcs-robots-olethros-1.3.1-7.1.mga1 flightgear-2.0.0-4.1.mga1 supertuxkart-0.7-1.1.mga1 tuxkart-0.4.0-10.1.mga1 from SRPMS: plib-1.8.5-3.1.mga1.src.rpm torcs-1.3.1-7.1.mga1.src.rpm flightgear-2.0.0-4.1.mga1.src.rpm supertuxkart-0.7-1.1.mga1.src.rpm tuxkart-0.4.0-10.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Hmm, supertuxkart in Mageia 1 is using irrlicht after all. The rebuild for plib wasn't necessary (although I did fix an error in the .desktop file). I'll upload a patched irrlicht and update the advisory.
The affected code isn't in the version of irrlicht used in Mageia 1. This should be good to go.
Just fyi, I can't test these on my ancient hardware. Lockups with the ati driver, and do not work under vesa. Someone else will have to do the i586 testing for these.
CC: (none) => davidwhodgins
flightgear & torcs works fine on x86_64. Don't know how to see some errors.
torcs PoC here http://www.securityfocus.com/bid/51152/exploit Confirmed the list of packages using plib-devel as buildrequire.
i586 Torcs ----- There is a segfault with torcs when choosing quick race > configure race > accept but it isn't a regression. /usr/games/torcs: line 53: 24727 Segmentation fault $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $* I'll create a bug for that. With the compiled PoC in place of car4-trb1.acc in /usr/share/games/torcs/cars/car4-trb1/ When starting a race.. WARNING: ssgLoadAC: 'cars/car4-trb1/car4-trb1.acc' is not in AC3D format. /usr/games/torcs: line 53: 24372 Segmentation fault $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $* That is the same segfault as the one above so I'm not sure it is related to the PoC.
Flightgear ---------- My old laptop can't really run this but with the Release version at startup it gives an error.. $ fgfs Mesa 7.10.2 implementation error: Bad renderbuffer format: 21 Please report at bugs.freedesktop.org It later gives several pages of these before reaching the cockpit.. i915_program_error: Bad source->Index: 12 i915_program_error: Bad source->Index: 12 No regressions sat on the runway with the update. I'll create another bug for this.
Tuxkart Ok. Supertuxkart Ok. Testing complete i586
Bug 5513 created for flightgear. Bug 5514 created for torcs
José Jorge has fixed Bug 5514, so its SRPM is now torcs-1.3.1-7.2.mga1.
Still to test - tuxkart & supertuxkart x86_64
All tested OK Validating Please see comment 6 for Advisory and SRPM Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
I think torcs has already been pushed after bug5514 was closed.
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED