Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Jul 2012 15:35:01 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: frosch <frosch@...nttd.org>
Subject: Re: CVE request for OpenTTD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/28/2012 04:53 AM, frosch wrote:
> 
>> On 07/27/2012 03:42 PM, frosch wrote:
>>> Hello,
>>> 
>>> we, the OpenTTD developers, have identified a security 
>>> vulnerability in OpenTTD (an open source game with
>>> multiplayer). Would you be so kind as to allocate a CVE id for
>>> this issue?
>>> 
>>> The issue concerns a denial of service vulnerabilty which
>>> enables an attacker to force the server into an invalid game
>>> state. The server will abort upon detecting this state. This
>>> attack can be performed using an unmodified client via normal
>>> game interaction. The attack requires authorization, but most
>>> servers do not implement authorization. The first vulnerable
>>> version is 0.6.0, the upcoming 1.2.2 release will have the
>>> issue fixed.
>>> 
>>> Once a CVE id is allocated, the issue and fix will be
>>> documented at http://security.openttd.org/CVE-2012-xxxx
>>> 
>>> Thanks in advance, Christoph 'frosch' Elsenhans
>>> 
>>> (Please CC me, I'm not subscribed)
>> 
>> Sorry can you please provide links to an advisory, code commit,
>> or something so we have a reference?
>> 
> trunk commit: http://vcs.openttd.org/svn/changeset/24439/ Bug
> report: http://bugs.openttd.org/task/5254
> 
> Later on http://security.openttd.org/CVE-2012-xxxx will supply
> patches for all vulnerable versions, and also link to the bug
> tracker and related commits.
> 
> Regards

Perfect, thanks. Please use CVE-2012-3436 for this issue.

P.S. with respect to "In some cases ships could be covered with land."
couldn't the ship sail into a cave or over hanging cliff? ;)


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQFFsFAAoJEBYNRVNeJnmTkYsP/3ASyyww0GSXBDa/5ySEL64A
LoIsy9m+rxUU/5C1sRLLDTNehrJ2HE8/yaOeJU1TpBX9jY21jcBu9YLJgPK0i7tT
ameFOO11bn7zuQ7nssyB6Wo5QALivdhCX21sgN240oVCqse+h/zZkYYob2Xmc/Z0
QlgjUAxwtLB1t/z31WU4rRVu9Rp2ArHjCRpuHSuTco9e2SHUQ6UsZZnfK9DxhGx6
ZdXtw5Ts6LAMYXcNackrhnifEcSURPZXGgWc09qABfUYAyyrsncXwiRMDxrRad1o
zJR46C3xJW1T+3SV8tLbSEv8X2VlRifguVzF6JRUpDl0T6Xe0kjPkNa6lHJ9jmTn
CLrVxpdSnzuyII1iuaeuPUjd5jm5hCnhTyHOH/mZyb4gxOQ/GXiXRdz3bhn2wcFc
BT+23wMJxWXU50NnAsqUTahW9r/7V0y0xc5gzfg0YRvNb3MeSZiHTBKM+zzeDEHr
cUGfhHjof5Ad9YSSiRzwfwVXiP1eGoabJcQQGIdRmf0KG7S1y8GGT1xpT2J3Clnq
xygcbpUQQewaMenvyYm3OPtGz2i3yLITHZXMN7SBPL3P4RC1QFiLgSzqXfr0EGI+
zqRdoi4FdSkN4rtIbF0iAJ8gF/LawrqWJ136q+vlGcZOl6AlPShCgEek5s1unQ8n
CWWRtNMcc6cwJ4jES5Fm
=6xJd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ