Bug 8623 - freeciv new security issues CVE-2012-5645 and CVE-2012-6083
: freeciv new security issues CVE-2012-5645 and CVE-2012-6083
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/531754/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-07 21:19 CET by David Walser
Modified: 2013-01-14 22:25 CET (History)
3 users (show)

See Also:
Source RPM: freeciv-2.3.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-01-07 21:19:19 CET
Fedora has issued an advisory on December 19:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095378.html

The issue is fixed upstream in 2.3.3 (which we have in Cauldron).

The RedHat bug links the upstream change that fixed it:
https://bugzilla.redhat.com/show_bug.cgi?id=888331
Comment 1 David Walser 2013-01-10 20:12:31 CET
The RedHat bug has some misinformation.  The fix they linked is actually CVE-2012-6083, and the fix for CVE-2012-5645 was in a different commit.  Debian has the details here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696306
Comment 2 David Walser 2013-01-10 20:22:43 CET
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated freeciv packages fix security vulnerabilities:

Malformed network packets could cause denial of service (memory exhaustion or
CPU-bound loop) in Freeciv before 2.3.3 (CVE-2012-5645, CVE-2012-6083).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6083
http://freeciv.wikia.com/wiki/NEWS-2.3.3
========================

Updated packages in core/updates_testing:
========================
freeciv-data-2.3.1-1.2.mga2
freeciv-client-2.3.1-1.2.mga2
freeciv-server-2.3.1-1.2.mga2

from freeciv-2.3.1-1.2.mga2.src.rpm
Comment 3 claire robinson 2013-01-14 14:37:31 CET
Probable PoC: http://aluigi.org/poc/freecivet.zip
Comment 4 claire robinson 2013-01-14 15:16:29 CET
Testing complete mga2 32

Extracted freecivet.c

Compiled with

$ gcc -o freecivet freecivet.c
$ ./freecivet

Freeciv <= 2.2.1 Denials of Service 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org


Usage: ./freecivet <bug> <host> [port(5556)]

Bugs:
 1 = malloc exception
 2 = endless loop

Before
------

Started freeciv and started a local game so it started the server.
Confirmed the malloc crash using the command below..

./freecivet 1 localhost 5556

Changing the bug to 2 didn't seem to have any effect, unless it consumes resources very slowly but I can't see anything here under 'top'.

After
-----
PoC has no effect
Comment 5 claire robinson 2013-01-14 15:37:12 CET
Testing complete mga2 64

Testing as above.

Not sure what I'm doing with the game but clicking the Turn Done button changes the year each time.

Validating

Advisory & SRPM in comment 2

Could sysadmin please push fro core/updates_testing to core/updates

Thanks!
Comment 6 Thomas Backlund 2013-01-14 22:25:34 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0005

Note You need to log in before you can comment on or make changes to this bug.