Bug 176626 - BZFlag "callsign" Handling Denial of Service Vulnerability SA18238
BZFlag "callsign" Handling Denial of Service Vulnerability SA18238
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bzflag (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nils Philippsen
Fedora Extras Quality Assurance
http://secunia.com/advisories/18238/
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-27 16:35 EST by Ignacio Vazquez-Abrams
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-28 07:37:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ignacio Vazquez-Abrams 2005-12-27 16:35:13 EST
"Luigi Auriemma has reported a vulnerability in BZFlag, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service)."

"The vulnerability is caused due to an error in the server when handling
callsigns that are not NULL terminated. This may be exploited to crash the game
server on certain platforms via specially crafted callsigns sent from the game
client."

"The vulnerability has been reported in version 2.0.0 through 2.0.4."
Comment 1 Nils Philippsen 2005-12-28 06:56:25 EST
Vulnerable binary gives this on FC4:

*** glibc detected *** bzfs: malloc(): memory corruption: 0x095fff48 ***
======= Backtrace: =========
/lib/libc.so.6[0x9e20ea]
/lib/libc.so.6(malloc+0x74)[0x9e3492]
/usr/lib/libstdc++.so.6(_Znwj+0x26)[0xda5626]
bzfs(_Z9publicizev+0x26b)[0x815e5a3]
bzfs(_Z12removePlayeriPKcb+0x9bc)[0x8160358]
bzfs[0x816045b]
bzfs(_Z11sendMessageihPKc+0x1f0)[0x81615e2]
bzfs[0x8164edb]
bzfs[0x8165fbf]
bzfs(main+0x4d5f)[0x8171189]
/lib/libc.so.6(__libc_start_main+0xdf)[0x992d5f]
bzfs[0x8089e61]
======= Memory map: ========
00578000-00581000 r-xp 00000000 fd:00 1540483    /lib/libnss_files-2.3.5.so
00581000-00582000 r-xp 00008000 fd:00 1540483    /lib/libnss_files-2.3.5.so
00582000-00583000 rwxp 00009000 fd:00 1540483    /lib/libnss_files-2.3.5.so
005d6000-005df000 r-xp 00000000 fd:00 1329653    /usr/lib/libcares.so.0.0.0
005df000-005e0000 rwxp 00008000 fd:00 1329653    /usr/lib/libcares.so.0.0.0
00878000-00881000 r-xp 00000000 fd:00 922        /lib/libgcc_s-4.0.2-20051126.so.1
00881000-00882000 rwxp 00009000 fd:00 922        /lib/libgcc_s-4.0.2-20051126.so.1
00884000-008b7000 r-xp 00000000 fd:00 1123167    /usr/lib/libcurl.so.3.0.0
008b7000-008b8000 rwxp 00033000 fd:00 1123167    /usr/lib/libcurl.so.3.0.0
0095c000-00976000 r-xp 00000000 fd:00 463646     /lib/ld-2.3.5.so
00976000-00977000 r-xp 00019000 fd:00 463646     /lib/ld-2.3.5.so
00977000-00978000 rwxp 0001a000 fd:00 463646     /lib/ld-2.3.5.so
0097e000-00aa1000 r-xp 00000000 fd:00 463647     /lib/libc-2.3.5.so
00aa1000-00aa3000 r-xp 00123000 fd:00 463647     /lib/libc-2.3.5.so
00aa3000-00aa5000 rwxp 00125000 fd:00 463647     /lib/libc-2.3.5.so
00aa5000-00aa7000 rwxp 00aa5000 00:00 0
00aa9000-00acc000 r-xp 00000000 fd:00 463650     /lib/libm-2.3.5.so
00acc000-00acd000 r-xp 00022000 fd:00 463650     /lib/libm-2.3.5.so
00acd000-00ace000 rwxp 00023000 fd:00 463650     /lib/libm-2.3.5.so
00ad0000-00ad2000 r-xp 00000000 fd:00 463649     /lib/libdl-2.3.5.so
00ad2000-00ad3000 r-xp 00001000 fd:00 463649     /lib/libdl-2.3.5.so
00ad3000-00ad4000 rwxp 00002000 fd:00 463649     /lib/libdl-2.3.5.so
00ad6000-00ae8000 r-xp 00000000 fd:00 1128205    /usr/lib/libz.so.1.2.2.2
00ae8000-00ae9000 rwxp 00011000 fd:00 1128205    /usr/lib/libz.so.1.2.2.2
00c98000-00ca7000 r-xp 00000000 fd:00 463653     /lib/libresolv-2.3.5.so
00ca7000-00ca8000 r-xp 0000e000 fd:00 463653     /lib/libresolv-2.3.5.so
00ca8000-00ca9000 rwxp 0000f000 fd:00 463653     /lib/libresolv-2.3.5.so
00ca9000-00cab000 rwxp 00ca9000 00:00 0
00cfa000-00dcf000 r-xp 00000000 fd:00 223814     /usr/lib/libstdc++.so.6.0.7
00dcf000-00dd4000 rwxp 000d5000 fd:00 223814     /usr/lib/libstdc++.so.6.0.7
00dd4000-00dd9000 rwxp 00dd4000 00:00 0
00e4f000-00e50000 r-xp 00e4f000 00:00 0          [vdso]
03562000-0365a000 r-xp 00000000 fd:00 459063     /lib/libcrypto.so.0.9.7f
0365a000-0366c000 rwxp 000f8000 fd:00 459063     /lib/libcrypto.so.0.9.7f
0366c000-0366f000 rwxp 0366c000 00:00 0
03671000-036a6000 r-xp 00000000 fd:00 459267     /lib/libssl.so.0.9.7f
036a6000-036a9000 rwxp 00035000 fd:00 459267     /lib/libssl.so.0.9.7f
04579000-0457b000 r-xp 00000000 fd:00 463656     /lib/libcom_err.so.2.1
0457b000-0457c000 rwxp 00001000 fd:00 463656     /lib/libcom_err.so.2.1
0457e000-045a1000 r-xp 00000000 fd:00 1297539    /usr/lib/libk5crypto.so.3.0
045a1000-045a2000 rwxp 00023000 fd:00 1297539    /usr/lib/libk5crypto.so.3.0
045a4000-04613000 r-xp 00000000 fd:00 1299699    /usr/lib/libkrb5.so.3.2
04613000-04616000 rwxp 0006e000 fd:00 1299699    /usr/lib/libkrb5.so.3.2
04731000-04733000 r-xp 00000000 fd:00 1124983    /usr/lib/libkrb5support.so.0.0
04733000-04734000 rwxp 00001000 fd:00 1124983    /usr/lib/libkrb5support.so.0.0
04774000-0478b000 r-xp 00000000 fd:00 1299700    /usr/lib/libgssapi_krb5.so.2.2
0478b000-0478c000 rwxp 00017000 fd:00 1299700    /usr/lib/libgssapi_krb5.so.2.2
05592000-055c0000 r-xp 00000000 fd:00 1295814    /usr/lib/libidn.so.11.5.8
055c0000-055c2000 rwxp 0002d000 fd:00 1295814    /usr/lib/libidn.so.11.5.8
08045000-08278000 r-xp 00000000 fd:00 1214525    /usr/bin/bzfs
08278000-08280000 rw-p 00233000 fd:00 1214525    /usr/bin/bzfs
08280000-08283000 rw-p 08280000 00:00 0
095bd000-09616000 rw-p 095bd000 00:00 0          [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7fad000-b7fb2000 rw-p b7fad000 00:00 0
b7fdd000-b7fdf000 rw-p b7fdd000 00:00 0
bfec9000-bfedf000 rw-p bfec9000 00:00 0          [stack]
Aborted
Comment 2 Nils Philippsen 2005-12-28 07:37:19 EST
I've backported the fix from CVS and apparently succeeded, cursory checking
gives that the new binary doesn't crash anymore. Fixes have been built/are
building in bzflag-2.0.4-2 for devel and bzflag-2.0.4-0.fc4.3 for FE4.

Note You need to log in before you can comment on or make changes to this bug.