Bug 6981 - openttd new security issue CVE-2012-3436
: openttd new security issue CVE-2012-3436
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://security.openttd.org/en/CVE-20...
: MGA1TOO has_procedure MGA2-32-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-07 21:46 CEST by David Walser
Modified: 2012-08-12 21:18 CEST (History)
5 users (show)

See Also:
Source RPM: openttd
CVE:


Attachments

Description David Walser 2012-08-07 21:46:03 CEST
Debian has issued an advisory on August 6:
http://www.debian.org/security/2012/dsa-2524

Mageia 1 and 2 are affected by CVE-2012-3436.

Mageia 2 is probably not affected by CVE-2012-0049, which was fixed in 1.1.5.

CVE-2012-0049 was also previously fixed in a Fedora advisory from January 17:
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072508.html

Another "slow read attack" was fixed in that update as well, which was also fixed upstream in 1.1.5.  There doesn't seem to be an upstream commit link for that one, so for Mageia 1 it might be best to update to 1.1.5.

For the CVEs, there are links to the upstream commits in the RedHat bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=782179
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3436
Comment 1 Jani Välimaa 2012-08-07 22:18:11 CEST
Pushed new release to mga2 core/updates_testing which fixes CVE-2012-3436.

[1] openttd-1.2.1-2.mga2

See also: http://security.openttd.org/en/CVE-2012-3436
Comment 2 Jani Välimaa 2012-08-07 22:31:20 CEST
CVE-2012-0049 is already fixed in mga1.

Pushed new release [1] also to mga1 core/updates_testing which fixes CVE-2012-3436.

[1] openttd-1.1.0-1.3.mga1
Comment 3 Jani Välimaa 2012-08-07 22:37:40 CEST
Please test new releases from core/updates_testing for mga1 and mga2.

New releases fixes CVE-2012-3436: Denial of service (server) using ships on half tiles and landscaping.

More info and simple steps to reproduce in upstream security tracker: http://security.openttd.org/en/CVE-2012-3436
Comment 4 Samuel Verschelde 2012-08-07 22:57:59 CEST
Testing procedure: try to reproduce the issue following the steps in the link from comment #3 (before and after the update) + make sure you can start a new game, play it for a few minutes, and save/load a game.
Comment 5 David Walser 2012-08-07 23:00:52 CEST
(In reply to comment #2)
> CVE-2012-0049 is already fixed in mga1.

How so?  The changelog for the previously issued update only lists:
  o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
  o CVE-2011-3342 (Buffer overflows in savegame loading)
  o CVE-2011-3341 (Denial of service via improperly validated commands)
Comment 6 Jani Välimaa 2012-08-07 23:02:58 CEST
(In reply to comment #5)
> (In reply to comment #2)
> > CVE-2012-0049 is already fixed in mga1.
> 
> How so?  The changelog for the previously issued update only lists:
>   o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
>   o CVE-2011-3342 (Buffer overflows in savegame loading)
>   o CVE-2011-3341 (Denial of service via improperly validated commands)

Sun Jan 15 2012 wally <wally> 1.1.0-1.2.mga1

+ Revision: 196505
- fix CVE-2012-0049 (Denial of service (server) via slow read attack)
Comment 7 David Walser 2012-08-07 23:04:12 CEST
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #2)
> > > CVE-2012-0049 is already fixed in mga1.
> > 
> > How so?  The changelog for the previously issued update only lists:
> >   o CVE-2011-3343 (Multiple buffer overflows in validation of external data)
> >   o CVE-2011-3342 (Buffer overflows in savegame loading)
> >   o CVE-2011-3341 (Denial of service via improperly validated commands)
> 
> Sun Jan 15 2012 wally <wally> 1.1.0-1.2.mga1
> 
> + Revision: 196505
> - fix CVE-2012-0049 (Denial of service (server) via slow read attack)

Oh whoops, ok I looked at the wrong update :o)  Thanks.
Comment 8 Dave Hodgins 2012-08-08 03:48:57 CEST
I couldn't get the crash to happen, as it wouldn't let me
put tracks on a square with part of it in water.

As the game is working, with no obvious regressions, I consider
testing complete on Mageia 2 i586.

Couldn't figure out how to change the font size, despite
editing the numbers in ~/.openttd/openttd.cfg, so had to
use kmag to be able to read the text.

I'll test Mageia 2 x86-64 shortly.
Comment 9 Dave Hodgins 2012-08-08 04:16:02 CEST
Testing complete on Mageia 2 x86-64.

I'll test Mageia 1 shortly.
Comment 10 Dave Hodgins 2012-08-08 04:43:31 CEST
Testing complete on Mageia 1 i586 and x86-64.

Could someone from the sysadmin team push the srpm
openttd-1.2.1-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
openttd-1.1.0-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory:  This security update for openttd corrects CVE-2012-0049
(Denial of service (server) via slow read attack).

https://bugs.mageia.org/show_bug.cgi?id=6981
Comment 11 Jani Välimaa 2012-08-08 08:22:47 CEST
(In reply to comment #10)
> 
> Advisory:  This security update for openttd corrects CVE-2012-0049
> (Denial of service (server) via slow read attack).
> 
> https://bugs.mageia.org/show_bug.cgi?id=6981

Oopsie, CVE-2012-0049 was fixed earlier.

This security update fixes CVE-2012-3436 (Denial of service (server) using ships on half tiles and landscaping).
Comment 12 David Walser 2012-08-08 14:10:11 CEST
(In reply to comment #11)
> (In reply to comment #10)
> > 
> > Advisory:  This security update for openttd corrects CVE-2012-0049
> > (Denial of service (server) via slow read attack).
> > 
> > https://bugs.mageia.org/show_bug.cgi?id=6981
> 
> Oopsie, CVE-2012-0049 was fixed earlier.
> 
> This security update fixes CVE-2012-3436 (Denial of service (server) using
> ships on half tiles and landscaping).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3436
http://security.openttd.org/en/CVE-2012-3436
http://www.debian.org/security/2012/dsa-2524
Comment 13 Dave Hodgins 2012-08-09 04:54:49 CEST
Just confirming to sysadmin team, this update is ready to
push.  I just copied the wrong advisory from above.

Could someone from the sysadmin team push the srpm
openttd-1.2.1-2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
openttd-1.1.0-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: This security update fixes CVE-2012-3436 (Denial of
service (server) using ships on half tiles and landscaping).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3436
http://security.openttd.org/en/CVE-2012-3436
http://www.debian.org/security/2012/dsa-2524

https://bugs.mageia.org/show_bug.cgi?id=6981
Comment 14 Thomas Backlund 2012-08-12 21:18:19 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0212

Note You need to log in before you can comment on or make changes to this bug.