Date: Sat, 28 Jul 2012 15:35:01 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: frosch <frosch@...nttd.org> Subject: Re: CVE request for OpenTTD -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2012 04:53 AM, frosch wrote: > >> On 07/27/2012 03:42 PM, frosch wrote: >>> Hello, >>> >>> we, the OpenTTD developers, have identified a security >>> vulnerability in OpenTTD (an open source game with >>> multiplayer). Would you be so kind as to allocate a CVE id for >>> this issue? >>> >>> The issue concerns a denial of service vulnerabilty which >>> enables an attacker to force the server into an invalid game >>> state. The server will abort upon detecting this state. This >>> attack can be performed using an unmodified client via normal >>> game interaction. The attack requires authorization, but most >>> servers do not implement authorization. The first vulnerable >>> version is 0.6.0, the upcoming 1.2.2 release will have the >>> issue fixed. >>> >>> Once a CVE id is allocated, the issue and fix will be >>> documented at http://security.openttd.org/CVE-2012-xxxx >>> >>> Thanks in advance, Christoph 'frosch' Elsenhans >>> >>> (Please CC me, I'm not subscribed) >> >> Sorry can you please provide links to an advisory, code commit, >> or something so we have a reference? >> > trunk commit: http://vcs.openttd.org/svn/changeset/24439/ Bug > report: http://bugs.openttd.org/task/5254 > > Later on http://security.openttd.org/CVE-2012-xxxx will supply > patches for all vulnerable versions, and also link to the bug > tracker and related commits. > > Regards Perfect, thanks. Please use CVE-2012-3436 for this issue. P.S. with respect to "In some cases ships could be covered with land." couldn't the ship sail into a cave or over hanging cliff? ;) - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQFFsFAAoJEBYNRVNeJnmTkYsP/3ASyyww0GSXBDa/5ySEL64A LoIsy9m+rxUU/5C1sRLLDTNehrJ2HE8/yaOeJU1TpBX9jY21jcBu9YLJgPK0i7tT ameFOO11bn7zuQ7nssyB6Wo5QALivdhCX21sgN240oVCqse+h/zZkYYob2Xmc/Z0 QlgjUAxwtLB1t/z31WU4rRVu9Rp2ArHjCRpuHSuTco9e2SHUQ6UsZZnfK9DxhGx6 ZdXtw5Ts6LAMYXcNackrhnifEcSURPZXGgWc09qABfUYAyyrsncXwiRMDxrRad1o zJR46C3xJW1T+3SV8tLbSEv8X2VlRifguVzF6JRUpDl0T6Xe0kjPkNa6lHJ9jmTn CLrVxpdSnzuyII1iuaeuPUjd5jm5hCnhTyHOH/mZyb4gxOQ/GXiXRdz3bhn2wcFc BT+23wMJxWXU50NnAsqUTahW9r/7V0y0xc5gzfg0YRvNb3MeSZiHTBKM+zzeDEHr cUGfhHjof5Ad9YSSiRzwfwVXiP1eGoabJcQQGIdRmf0KG7S1y8GGT1xpT2J3Clnq xygcbpUQQewaMenvyYm3OPtGz2i3yLITHZXMN7SBPL3P4RC1QFiLgSzqXfr0EGI+ zqRdoi4FdSkN4rtIbF0iAJ8gF/LawrqWJ136q+vlGcZOl6AlPShCgEek5s1unQ8n CWWRtNMcc6cwJ4jES5Fm =6xJd -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ