| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4FB55F89.3010107@redhat.com>
Date: Thu, 17 May 2012 14:28:57 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Andres Gomez <agomez@...idsignal.com>, bugtraq@...urityfocus.com,
vuln@...unia.com
Subject: Re: [oss-security] CVE Request: Planeshift buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/17/2012 08:52 AM, Andres Gomez wrote:
> Name: Stack-based buffer overflow in Planeshift 0.5.9 and earlier
> Software: Planeshift 0.5.9 Software link:
> http://www.planeshift.it/ Vulnerability Type: Buffer overflow
>
> Vulnerability Details:
>
> There is a buffer overflow in planeshift/src/client/chatbubbles.cpp
> line 223:
>
> . . .
>
> // align csString align = chatNode->GetAttributeValue("align");
> align.Downcase(); if (align == "right") chat.textSettings.align =
> ETA_RIGHT; else if (align == "center") chat.textSettings.align =
> ETA_CENTER; else chat.textSettings.align = ETA_LEFT;
>
> // prefix 223> strcpy(chat.effectPrefix,
> chatNode->GetAttributeValue("effectPrefix"));
>
> //enabled . . .
>
> this line reads a tag inside chatbubbles.xml called effectPrefix.
> If that string is very long, for example:
>
> <chat type="say" enabled="yes" colourR="186" colourG="168"
> colourB="126" shadowR="108" shadowG="98" shadowB="73" align="left"
> effectPrefix="chatbubble_AAAAA....AAAAA" />
>
> It will overwrite effectPrefix[64] buffer, which can lead even to
> arbitrary code execution.
>
>
> Could a CVE be assigned to this issue?
I'm not familiar with this software (it's a game?) the chat bubbles,
can they come from remote users (like some sort of internal game chat)?
> Thanks,
>
> Andres Gomez.
>
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPtV+JAAoJEBYNRVNeJnmTRtcP/R+w6vfmWPlfF2DDjxmOS25f
qpAnIWXWQWAQ0xv1AJbbeuCd/ChnYG6BHiRpe3RQFHm2LeFJugfWIMrwJyWyVkuD
cf4/5+hxhc7tY8vze51C9budUQZoeo+jalGt5eoOk0mCUqDR2RoLn8Pg2UEzsloO
HNNWlWJ2xP3Qt2cuHbBMQIa3RUA0vFh+cUSP2mvLe//pS/FljLt5k78kV1wzAUEw
DsuxNYoNJ5DoMWSCltsXSsN0tbIGr5vlHkHkWfXzs7POB2dRtJakJj30AkPdpt7r
FZuwoEuvPRsLgrNa6LFpnsbFI9Bw0St3K+XKm+upa0S0o8plI/iUYFhuZOdTkpyf
GaHtSpRoeVZgW8M/yvM3k3Lh/nPywI/ORBrdLcELrgrjMTh/rMyAgh4IBYTYNpaX
Lyca8ZigbmyHzgWF8v/oujdu+9Pu9sdxlPxLMBv9omYa9Sqr8M6U0+OPbXDYzJD1
NQ1ReT2YYQml/KcX3H9/IQ9TL+/1/lpWnY5pEbx6ya/X7jVNKkkDOBAkwkSzgEgD
x5xYC8hxhXSDov3iIpzeZBlN3shRP+BKXCbhbb9ZxPN0fOI8IuJNVUaSzAxTQb5f
+jJuoWVkdr2Rp5cmOonX1wFo1LRvNH8ZD6FXOb+ano+Hwktm+aJCjyxpSSmqXOHb
mYPLwJ9J3ZupuIgFY/lx
=EgCI
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists