[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#970583: marked as done (buster-pu: package chocolate-doom/3.0.0-4+deb10u1)

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970583,
regarding buster-pu: package chocolate-doom/3.0.0-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970583
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fabian@debian.org

Fix for CVE-2020-14983, which doesn't really warrant a DSA.

Debdiff attached.

Cheers,
        Moritz

diff -Nru chocolate-doom-3.0.0/debian/changelog chocolate-doom-3.0.0/debian/changelog
--- chocolate-doom-3.0.0/debian/changelog	2018-02-14 22:16:30.000000000 +0100
+++ chocolate-doom-3.0.0/debian/changelog	2020-09-18 20:26:53.000000000 +0200
@@ -1,3 +1,9 @@
+chocolate-doom (3.0.0-4+deb10u1) buster; urgency=medium
+
+  * CVE-2020-14983
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 18 Sep 2020 20:26:53 +0200
+
 chocolate-doom (3.0.0-4) unstable; urgency=medium
 
   * Backport patch from upstream GIT to build bash-completion
diff -Nru chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
--- chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch	1970-01-01 01:00:00.000000000 +0100
+++ chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch	2020-09-18 17:25:58.000000000 +0200
@@ -0,0 +1,70 @@
+From f1a8d991aa8a14afcb605cf2f65cd15fda204c56 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 24 Jun 2020 12:45:03 +0200
+Subject: [PATCH 1/2] net: fix missing server-side num_players validation
+ (CVE-2020-14983)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't
+validate the user-controlled num_players value, leading to a buffer
+overflow. A malicious user can overwrite the server's stack.
+
+Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust.
+
+Fixes: #1293.
+---
+ src/net_structrw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/net_structrw.c b/src/net_structrw.c
+index 437bc71a5..2dbd2740a 100644
+--- a/src/net_structrw.c
++++ b/src/net_structrw.c
+@@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
+         return false;
+     }
+ 
+-    for (i = 0; i < settings->num_players; ++i)
++    for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
+     {
+         if (!NET_ReadInt8(packet,
+                           (unsigned int *) &settings->player_classes[i]))
+
+From 54fb12eeaa7d527defbe65e7e00e37d5feb7c597 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 24 Jun 2020 12:49:14 +0200
+Subject: [PATCH 2/2] net: fix missing client-side ticdup validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The client does not validate settings coming from the server. The
+ticdup value is used as a divider in arithmetic operations. If the
+server sends this value equal to zero, the client will crash with a
+Floating Pointer Exception.
+
+Found by Michał Dardas from LogicalTrust.
+
+Fixes: #1292.
+---
+ src/d_loop.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/d_loop.c b/src/d_loop.c
+index 61a42d546..b963054a4 100644
+--- a/src/d_loop.c
++++ b/src/d_loop.c
+@@ -413,6 +413,11 @@ void D_StartNetGame(net_gamesettings_t *settings,
+     ticdup = settings->ticdup;
+     new_sync = settings->new_sync;
+ 
++    if (ticdup < 1)
++    {
++        I_Error("D_StartNetGame: invalid ticdup value (%d)", ticdup);
++    }
++
+     // TODO: Message disabled until we fix new_sync.
+     //if (!new_sync)
+     //{
diff -Nru chocolate-doom-3.0.0/debian/patches/series chocolate-doom-3.0.0/debian/patches/series
--- chocolate-doom-3.0.0/debian/patches/series	2018-02-14 21:20:05.000000000 +0100
+++ chocolate-doom-3.0.0/debian/patches/series	2020-09-18 17:26:46.000000000 +0200
@@ -17,3 +17,4 @@
 0018-hexen-Remove-test-code-mistakenly-added.patch
 0017-hexen-Fix-spelling-error.patch
 0001-bash-completion-Build-from-actual-shell-script-templ.patch
+0019-CVE-2020-14983.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: