commit prboom-plus for openSUSE:Factory

root Tue, 09 Jun 2020 15:55:49 -0700

Hello community,

here is the log from the commit of package prboom-plus for openSUSE:Factory 
checked in at 2020-06-10 00:54:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/prboom-plus (Old)
 and      /work/SRC/openSUSE:Factory/.prboom-plus.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "prboom-plus"

Wed Jun 10 00:54:19 2020 rev:12 rq:813049 version:2.5.1.5+svn4532

Changes:
--------
--- /work/SRC/openSUSE:Factory/prboom-plus/prboom-plus.changes  2020-06-09 
00:05:50.185540187 +0200
+++ /work/SRC/openSUSE:Factory/.prboom-plus.new.3606/prboom-plus.changes        
2020-06-10 00:54:42.663928171 +0200
@@ -1,0 +2,6 @@
+Tue Jun  9 20:32:48 UTC 2020 - Jan Engelhardt <[email protected]>
+
+- Add 0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch
+  [CVE-2019-20797, boo#1171974]
+
+-------------------------------------------------------------------

New:
----
  0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ prboom-plus.spec ++++++
--- /var/tmp/diff_new_pack.So9vSk/_old  2020-06-10 00:54:44.931934041 +0200
+++ /var/tmp/diff_new_pack.So9vSk/_new  2020-06-10 00:54:44.931934041 +0200
@@ -25,6 +25,7 @@
 URL:            http://prboom-plus.sf.net/
 
 #SVN-Clone:    https://svn.prboom.org/repos/branches/prboom-plus-24/prboom2
+#Sibling-Prj:  https://github.com/coelckers/prboom-plus (umapinfo fork)
 #DL-URL:       http://downloads.sf.net/prboom-plus/prboom-plus-2.5.1.4.tar.gz
 Source:         prboom2-%version.tar.xz
 Patch1:         prboom-nodatetime.diff
@@ -34,6 +35,7 @@
 Patch6:         prboom-hbar-color.diff
 Patch7:         prboom-hbar-all.diff
 Patch8:         prboom-hbar-gradient.diff
+Patch9:         0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch
 BuildRequires:  Mesa-devel
 BuildRequires:  automake
 BuildRequires:  fluidsynth-devel

++++++ 0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch ++++++
>From 1a081d10e6c71a5b5b2db76081227677f06b47b3 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <[email protected]>
Date: Mon, 1 Jun 2020 09:53:23 +0200
Subject: [PATCH] fix heap buffer overflows in UDP code (CVE-2019-20797) (#85)
Origin: https://github.com/coelckers/prboom-plus

* fix heap buffer overflows in UDP code (CVE-2019-20797)

* Limit length of buffer passed over to ChecksumPacket().
  Patch taken from the OP at https://logicaltrust.net/blog/2019/10/prboom1.html

* Never send more than one second worth of tics (i.e. 35) in both the
  main() routine in d_server.c and NetUpdate() in d_client.c.
  This avoids overflows of the allocated UDF buffer with a fixed size
  of 10000 bytes. Theoretically, up to about 35 seconds could be sent in the
  client code and up to about 7 seconds in the server code, but the
  network game would be unplayable with such a lag anyway.

  Client code: pkt_size = 8 + 2 + X * 8 (= 9810 for X = 35*35)
  Server code: pkt_size = 8 + 1 + X * (1 + 4 * (1 + 8)) (= 9074 for X = 7 * 35)

Fixes: #84

* limit number of sent tics to 128

* fix brain bug
---
 src/SDL/i_network.c | 2 +-
 src/d_client.c      | 2 +-
 src/d_server.c      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/SDL/i_network.c b/src/SDL/i_network.c
index 89edab78..7e02706a 100644
--- a/src/SDL/i_network.c
+++ b/src/SDL/i_network.c
@@ -240,7 +240,7 @@ size_t I_GetPacket(packet_header_t* buffer, size_t buflen)
   checksum=buffer->checksum;
   buffer->checksum=0;
   if ( (status!=0) && (len>0)) {
-    byte psum = ChecksumPacket(buffer, udp_packet->len);
+    byte psum = ChecksumPacket(buffer, len); // 
https://logicaltrust.net/blog/2019/10/prboom1.html
 /*    fprintf(stderr, "recvlen = %u, stolen = %u, csum = %u, psum = %u\n",
   udp_packet->len, len, checksum, psum); */
     if (psum == checksum) return len;
diff --git a/src/d_client.c b/src/d_client.c
index 7ce74d4e..054bc595 100644
--- a/src/d_client.c
+++ b/src/d_client.c
@@ -351,7 +351,7 @@ void NetUpdate(void)
       int sendtics;
       remotesend -= xtratics;
       if (remotesend < 0) remotesend = 0;
-      sendtics = maketic - remotesend;
+      sendtics = MIN(maketic - remotesend, 128); // limit number of sent tics 
(CVE-2019-20797)
       {
   size_t pkt_size = sizeof(packet_header_t) + 2 + sendtics * sizeof(ticcmd_t);
   packet_header_t *packet = Z_Malloc(pkt_size, PU_STATIC, NULL);
diff --git a/src/d_server.c b/src/d_server.c
index 1269a861..39c2e3cd 100644
--- a/src/d_server.c
+++ b/src/d_server.c
@@ -682,7 +682,7 @@ int main(int argc, char** argv)
       int tics;
       if (lowtic <= remoteticto[i]) continue;
       if ((remoteticto[i] -= xtratics) < 0) remoteticto[i] = 0;
-      tics = lowtic - remoteticto[i];
+      tics = MIN(lowtic - remoteticto[i], 128); // limit number of sent tics 
(CVE-2019-20797)
       {
         byte *p;
         packet = malloc(sizeof(packet_header_t) + 1 +
-- 
2.26.2

commit prboom-plus for openSUSE:Factory

Reply via email to