[Freeciv-Dev] [bug #20003] Security advisory (CVE-2012-5645, CVE-2012-6083)

2013-04-07 Thread Jacob Nevins
Update of bug #20003 (project freeciv): Summary: Security advisory = Security advisory (CVE-2012-5645, CVE-2012-6083) ___ Reply to this item at: http://gna.org/bugs/?20003

[Freeciv-Dev] [bug #20003] Security advisory

2013-03-29 Thread Jacob Nevins
Update of bug #20003 (project freeciv): Severity: 3 - Normal = 6 - Security ___ Reply to this item at: http://gna.org/bugs/?20003 ___ Message sent

[Freeciv-Dev] [bug #20003] Security advisory

2013-02-17 Thread Jacob Nevins
Follow-up Comment #24, bug #20003 (project freeciv): (Since this is a security bug: for those watching at home: the post-commit discussion here spawned a bunch of patches intended to make the low-level protocol handling more obvious and the endpoints less tolerant of malformation, e.g. patch

[Freeciv-Dev] [bug #20003] Security advisory

2013-02-03 Thread pepeto
Follow-up Comment #23, bug #20003 (project freeciv): IIRC return value is solely about whether data was available (and read). These low-level functions do not know what data is valid. Maybe dio_get_uint8() has a bug? I think so. I will try to investigate a bit deeper... Usually lack of

[Freeciv-Dev] [bug #20003] Security advisory

2013-02-02 Thread Marko Lindqvist
Follow-up Comment #22, bug #20003 (project freeciv): What value returns the dio_get_xxx() ? According to your comment, I understand that these functions returns TRUE if the value is read and valid. However, the code doesn't match this (for example can dio_get_uint8() returns TRUE even if

[Freeciv-Dev] [bug #20003] Security advisory

2013-02-01 Thread pepeto
Follow-up Comment #21, bug #20003 (project freeciv): Well, third one is what I've planned to do for a long time*: give dio_get_xxx() functions return values telling if they succeeded or failed. Patch attached. *) According to very old TODO I had actually foreseen possibility of infinite

[Freeciv-Dev] [bug #20003] Security advisory

2013-01-02 Thread Jacob Nevins
Update of bug #20003 (project freeciv): Open/Closed:Open = Closed Operating System:None = Any ___ Follow-up Comment #20: They've now

[Freeciv-Dev] [bug #20003] Security advisory

2012-12-19 Thread Jacob Nevins
Follow-up Comment #18, bug #20003 (project freeciv): These security issues have apparently been assigned the ID CVE-2012-5645 -- see here http://seclists.org/oss-sec/2012/q4/484. (At time of writing it's not associated with Freeciv in the master database

[Freeciv-Dev] [bug #20003] Security advisory

2012-12-19 Thread Marko Lindqvist
Follow-up Comment #19, bug #20003 (project freeciv): CVE-2012-5645 They had missed the fact that two issues were reported in this single ticket. CVE description contained both, but they provided only one fix. I informed them about this. I assume they will assign new CVE to the other half

[Freeciv-Dev] [bug #20003] Security advisory

2012-08-17 Thread Patrick Welche
Follow-up Comment #17, bug #20003 (project freeciv): I have checked your patches against the exploits and they do fix it: 2: Lost connection: c1 from localhost (illegal packet size). for part 1, instead of the out of memory error, and 1: Receiving packet_player_info at the server. 1: Received

[Freeciv-Dev] [bug #20003] Security advisory

2012-08-03 Thread Marko Lindqvist
Update of bug #20003 (project freeciv): Status: Ready For Test = Fixed ___ Follow-up Comment #16: Patches have been committed, but I'm not closing this ticket until it's checked that there's no

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-31 Thread Patrick Welche
Follow-up Comment #3, bug #20003 (project freeciv): Thank you for your patch which fixes part A]. As to part B], it seems that the infinite loop comes from this part of common/generate_packets.py: pre 544 else: 545 return ''' 546 for (;;) { 547int i; 548

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-31 Thread Marko Lindqvist
Follow-up Comment #9, bug #20003 (project freeciv): (What seems odd is that the exploit seems to send many 0xff's, and I would have expected the opposite) Problem is that in error situation - when there's no more data - dio_get_uint8() returns 0, not 255. So if there's not enough data, it will

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-31 Thread Marko Lindqvist
Follow-up Comment #10, bug #20003 (project freeciv): I see two possible ways to fix this. Well, third one is what I've planned to do for a long time*: give dio_get_xxx() functions return values telling if they succeeded or failed. Patch attached. *) According to very old TODO I had actually

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-31 Thread Marko Lindqvist
Update of bug #20003 (project freeciv): Status:None = Ready For Test ___ Reply to this item at: http://gna.org/bugs/?20003 ___ Message sent

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-29 Thread Patrick Welche
URL: http://gna.org/bugs/?20003 Summary: Security advisory Project: Freeciv Submitted by: prlw1 Submitted on: Sun Jul 29 18:41:34 2012 Category: general Severity: 3 - Normal Priority: 5 -

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-29 Thread Marko Lindqvist
Follow-up Comment #1, bug #20003 (project freeciv): is this still news? Yes. It would be nice if those who already invest so much time to investigate security and write advisories would bother to inform us too so that these things would get also fixed. Fix for A] for S2_3, S2_4 and TRUNK

[Freeciv-Dev] [bug #20003] Security advisory

2012-07-29 Thread Marko Lindqvist
Update of bug #20003 (project freeciv): Planned Release: = 2.0.11, 2.2.8, 2.3.3, 2.4.0, 2.5.0 ___ Follow-up Comment #2: - Fix for A], S2_2 and S2_0 version. (file #16242)