Andrew Fuchs wrote: > Umm, was this the flaw i discovered, or is it a new one?
The fact it says version >= 1.9.0 are not affected would seem to suggest that this isn't a problem anymore. but I'm not sure exactly what bug this is describing. > > ---------- Forwarded message ---------- > From: Thierry Carrez <[EMAIL PROTECTED]> > Date: Apr 22, 2006 4:12 PM > Subject: [gentoo-announce] [ GLSA 200604-11 ] Crossfire server: Denial > of Service and potential arbitrary code execution > To: [email protected] > Cc: [email protected], [email protected], > [EMAIL PROTECTED] > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 200604-11 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: High > Title: Crossfire server: Denial of Service and potential arbitrary > code execution > Date: April 22, 2006 > Bugs: #126169 > ID: 200604-11 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > The Crossfire game server is vulnerable to a Denial of Service and > potentially to the execution of arbitrary code. > > Background > ========== > > Crossfire is a cooperative multiplayer graphical adventure and > role-playing game. The Crossfire game server allows various compatible > clients to connect to participate in a cooperative game. > > Affected packages > ================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 games-server/crossfire-server < 1.9.0 >= 1.9.0 > > Description > =========== > > Luigi Auriemma discovered a vulnerability in the Crossfire game server, > in the handling of the "oldsocketmode" option when processing overly > large requests. > > Impact > ====== > > An attacker can set up a malicious Crossfire client that would send a > large request in "oldsocketmode", resulting in a Denial of Service on > the Crossfire server and potentially in the execution of arbitrary code > on the server with the rights of the game server. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All Crossfire server users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose > ">=games-server/crossfire-server-1.9.0" > > References > ========== > > [ 1 ] CVE-2006-1010 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1010 > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200604-11.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > [EMAIL PROTECTED] or alternatively, you may file a bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2006 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.0 > > > ------------------------------------------------------------------------ > > _______________________________________________ > crossfire mailing list > [email protected] > http://mailman.metalforge.org/mailman/listinfo/crossfire _______________________________________________ crossfire mailing list [email protected] http://mailman.metalforge.org/mailman/listinfo/crossfire
