Bug#970583: marked as done (buster-pu: package chocolate-doom/3.0.0-4+deb10u1)

Sat, 26 Sep 2020 03:43:43 -0700 

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id 
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970583,
regarding buster-pu: package chocolate-doom/3.0.0-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
970583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970583
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]

Fix for CVE-2020-14983, which doesn't really warrant a DSA.

Debdiff attached.

Cheers,
        Moritz

diff -Nru chocolate-doom-3.0.0/debian/changelog 
chocolate-doom-3.0.0/debian/changelog
--- chocolate-doom-3.0.0/debian/changelog       2018-02-14 22:16:30.000000000 
+0100
+++ chocolate-doom-3.0.0/debian/changelog       2020-09-18 20:26:53.000000000 
+0200
@@ -1,3 +1,9 @@
+chocolate-doom (3.0.0-4+deb10u1) buster; urgency=medium
+
+  * CVE-2020-14983
+
+ -- Moritz Mühlenhoff <[email protected]>  Fri, 18 Sep 2020 20:26:53 +0200
+
 chocolate-doom (3.0.0-4) unstable; urgency=medium
 
   * Backport patch from upstream GIT to build bash-completion
diff -Nru chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch 
chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
--- chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch       
1970-01-01 01:00:00.000000000 +0100
+++ chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch       
2020-09-18 17:25:58.000000000 +0200
@@ -0,0 +1,70 @@
+From f1a8d991aa8a14afcb605cf2f65cd15fda204c56 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <[email protected]>
+Date: Wed, 24 Jun 2020 12:45:03 +0200
+Subject: [PATCH 1/2] net: fix missing server-side num_players validation
+ (CVE-2020-14983)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't
+validate the user-controlled num_players value, leading to a buffer
+overflow. A malicious user can overwrite the server's stack.
+
+Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust.
+
+Fixes: #1293.
+---
+ src/net_structrw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/net_structrw.c b/src/net_structrw.c
+index 437bc71a5..2dbd2740a 100644
+--- a/src/net_structrw.c
++++ b/src/net_structrw.c
+@@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, 
net_gamesettings_t *settings)
+         return false;
+     }
+ 
+-    for (i = 0; i < settings->num_players; ++i)
++    for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
+     {
+         if (!NET_ReadInt8(packet,
+                           (unsigned int *) &settings->player_classes[i]))
+
+From 54fb12eeaa7d527defbe65e7e00e37d5feb7c597 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <[email protected]>
+Date: Wed, 24 Jun 2020 12:49:14 +0200
+Subject: [PATCH 2/2] net: fix missing client-side ticdup validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The client does not validate settings coming from the server. The
+ticdup value is used as a divider in arithmetic operations. If the
+server sends this value equal to zero, the client will crash with a
+Floating Pointer Exception.
+
+Found by Michał Dardas from LogicalTrust.
+
+Fixes: #1292.
+---
+ src/d_loop.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/d_loop.c b/src/d_loop.c
+index 61a42d546..b963054a4 100644
+--- a/src/d_loop.c
++++ b/src/d_loop.c
+@@ -413,6 +413,11 @@ void D_StartNetGame(net_gamesettings_t *settings,
+     ticdup = settings->ticdup;
+     new_sync = settings->new_sync;
+ 
++    if (ticdup < 1)
++    {
++        I_Error("D_StartNetGame: invalid ticdup value (%d)", ticdup);
++    }
++
+     // TODO: Message disabled until we fix new_sync.
+     //if (!new_sync)
+     //{
diff -Nru chocolate-doom-3.0.0/debian/patches/series 
chocolate-doom-3.0.0/debian/patches/series
--- chocolate-doom-3.0.0/debian/patches/series  2018-02-14 21:20:05.000000000 
+0100
+++ chocolate-doom-3.0.0/debian/patches/series  2020-09-18 17:26:46.000000000 
+0200
@@ -17,3 +17,4 @@
 0018-hexen-Remove-test-code-mistakenly-added.patch
 0017-hexen-Fix-spelling-error.patch
 0001-bash-completion-Build-from-actual-shell-script-templ.patch
+0019-CVE-2020-14983.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Reply via email to