Red Hat Bugzilla – Bug 192983
CVE-2006-2575 Remote termination security issue
Last modified: 2007-11-30 17:11:33 EST
The netPanzer server is subject to a DOS; it can be made to crash remotely.
Versions 0.8 and lower are vulnerable.
A CVE has not yet been assigned for this issue.
I'm not sure if I'd call a game that terminates unexpectedly a security risk.
But, to fix we should probably find out what values for FrameNum are acceptable
and who is causing the problem to fail the ASSERT().
(In reply to comment #1)
> I'm not sure if I'd call a game that terminates unexpectedly a security risk.
Any less than we'd call a web server that terminates unexpectedly a security
risk? But hey, if folks want to agree that we don't add remote termination
issues for "noncritical" applications (along with a definition of just what is
considered noncritical) then I'll abide by that. Does the perception change if
a CVE is issued?
Any fixes would be good to include. I'm currently watching this issue, as I am
not a good programmer, I can't look at the source code at the time. However
I'll try to make some efforts on this. If you have any updates, tell me.
Regarding bug #192990, I'll look, make a patch from svn and update the
release. Thanks for the attention.
Created attachment 130628 [details]
Patch fixing this CVE
Since no-one else was doing it I've taken a look at this, with as a result the
attached patch which fixes this.
I confirmed the crash with the exploit given in the URL above, and checked that
it no longer crashes with this patch.
I however didnot check if this influences play in anyway, someone who actually
plays the game should test this, especially the flag selection for a player.
Although I believe that there should be no influence.
Whats going on with getting the fix for the other vulnerability from SVN?
Package fixed. Closing. Thanks!