Hi folks, since it seems the Release Team cannot find the time to review my big debdiff and this bug should really not remain unfixed for so long, I went ahead and uploaded the 1.2.1-2 version to unstable, which contains just the backported fix for the security problem. For convenience, I've added the relevant (small) debdiffs to this mail again (identical to the ones I previously sent). Please unblock openttd/1.2.1-2 and forget about the new upstream version. Gr. Matthijs
File lists identical (after any substitutions) Control files of package openttd: lines which differ (wdiff format) ------------------------------------------------------------------- Depends: libc6 (>= 2.11), libfontconfig1 (>= [-2.8.0),-] {+2.9.0),+} libfreetype6 (>= 2.2.1), libgcc1 (>= 1:4.1.1), libicu48 (>= 4.8-1), liblzma5 (>= [-5.1.1alpha+20110809),-] {+5.1.1alpha+20120614),+} liblzo2-2, libpng12-0 (>= 1.2.13-4), libsdl1.2debian (>= 1.2.11), libstdc++6 (>= 4.6), zlib1g (>= 1:1.1.4), openttd-data (= [-1.2.1-1)-] {+1.2.1-2)+} Installed-Size: [-5654-] {+5685+} Version: [-1.2.1-1-] {+1.2.1-2+} Control files of package openttd-data: lines which differ (wdiff format) ------------------------------------------------------------------------ Version: [-1.2.1-1-] {+1.2.1-2+} Control files of package openttd-dbg: lines which differ (wdiff format) ----------------------------------------------------------------------- Depends: openttd (= [-1.2.1-1)-] {+1.2.1-2)+} Installed-Size: [-44139-] {+48063+} Version: [-1.2.1-1-] {+1.2.1-2+}
diff -Nru openttd-1.2.1/debian/changelog openttd-1.2.1/debian/changelog --- openttd-1.2.1/debian/changelog 2012-06-01 21:24:34.000000000 +0200 +++ openttd-1.2.1/debian/changelog 2012-08-01 23:21:04.000000000 +0200 @@ -1,3 +1,11 @@ +openttd (1.2.1-2) unstable; urgency=high + + * [e7a5026] Fix CVE-2012-3436 (Denial of service using ships on half + tiles and landscaping). See + http://security.openttd.org/en/CVE-2012-3436 for details. + + -- Matthijs Kooijman <matthijs@stdin.nl> Wed, 01 Aug 2012 23:20:31 +0200 + openttd (1.2.1-1) unstable; urgency=low * [306c3ac] New upstream release 1.2.1. diff -Nru openttd-1.2.1/debian/patches/cve-2012-3436.patch openttd-1.2.1/debian/patches/cve-2012-3436.patch --- openttd-1.2.1/debian/patches/cve-2012-3436.patch 1970-01-01 01:00:00.000000000 +0100 +++ openttd-1.2.1/debian/patches/cve-2012-3436.patch 2012-08-01 23:21:04.000000000 +0200 @@ -0,0 +1,72 @@ +Subject: fix for vulnerability CVE-2012-3436 for OpenTTD 1.2.0 - 1.2.1 (Denial of service (server) using ships on half tiles and landscaping.) +From: OpenTTD developer team <info@openttd.org> +Origin: backport, http://vcs.openttd.org/svn/changeset/24439 http://vcs.openttd.org/svn/changeset/24449 +Bug: http://bugs.openttd.org/task/5254 + +Denial of service using ships on half tiles and landscaping. + +Simple steps to reproduce the issue, and show the severity: + start a new game. For this reproduction you do not need to start a server; + you can see the crash locally, but due to the nature of OpenTTD the crash + will also happen on the server you're playing on with multiplayer. + build some horizontal or vertical track at the coast, so that half of the + tile remains water or coast. The tile should either have + one corner raised with flat water on one half tile (case 1) + or two adjacent corners raised with coast on the sloped half tile (case 2) + build a ship depot, a ship and a dock at the coast, and start the ship + obstruct the path of the ship in a way so that it enters the tile with half + railtrack and half water + landscape the tile by raising the water corner while the ship is on it + (only needed in case 1) + both cases will make the ship end up on land + remove the track using the "remove track" tool while the ship is on the tile + server segfaults due to NULL pointer dereference. + +The problem is caused by incorrectly handling the water/coast aspect of tiles +which also have railtracks on one half. +The fix adds the correct checks to the landscaping and movement code. + +If you try to reproduce this with the patch applied you'll see that, +in case 1, step 5 will deny the terraforming and in case 2 the ship simply +won't try to enter the coast tile. + +This bug was triggered incidentally by a user playing online when landscaping +near a ship. We have not seen any signs of this bug being exploited forcefully. + + +--- a/src/rail_cmd.cpp ++++ b/src/rail_cmd.cpp +@@ -2604,7 +2604,7 @@ + static TrackStatus GetTileTrackStatus_Track(TileIndex tile, TransportType mode, uint sub_mode, DiagDirection side) + { + /* Case of half tile slope with water. */ +- if (mode == TRANSPORT_WATER && IsPlainRail(tile) && GetRailGroundType(tile) == RAIL_GROUND_WATER) { ++ if (mode == TRANSPORT_WATER && IsPlainRail(tile) && GetRailGroundType(tile) == RAIL_GROUND_WATER && IsSlopeWithOneCornerRaised(GetTileSlope(tile))) { + TrackBits tb = GetTrackBits(tile); + switch (tb) { + default: NOT_REACHED(); +@@ -2925,6 +2925,14 @@ + return cost; + } + ++/** ++ * Test-procedure for HasVehicleOnPos to check for a ship. ++ */ ++static Vehicle *EnsureNoShipProc(Vehicle *v, void *data) ++{ ++ return v->type == VEH_SHIP ? v : NULL; ++} ++ + static CommandCost TerraformTile_Track(TileIndex tile, DoCommandFlag flags, int z_new, Slope tileh_new) + { + int z_old; +@@ -2934,6 +2942,9 @@ + /* Is there flat water on the lower halftile that must be cleared expensively? */ + bool was_water = (GetRailGroundType(tile) == RAIL_GROUND_WATER && IsSlopeWithOneCornerRaised(tileh_old)); + ++ /* Allow clearing the water only if there is no ship */ ++ if (was_water && HasVehicleOnPos(tile, NULL, &EnsureNoShipProc)) return_cmd_error(STR_ERROR_SHIP_IN_THE_WAY); ++ + /* First test autoslope. However if it succeeds we still have to test the rest, because non-autoslope terraforming is cheaper. */ + CommandCost autoslope_result = TestAutoslopeOnRailTile(tile, flags, z_old, tileh_old, z_new, tileh_new, rail_bits); + diff -Nru openttd-1.2.1/debian/patches/series openttd-1.2.1/debian/patches/series --- openttd-1.2.1/debian/patches/series 2012-06-01 21:24:34.000000000 +0200 +++ openttd-1.2.1/debian/patches/series 2012-08-01 23:21:04.000000000 +0200 @@ -1 +1,2 @@ run-openttd-wrapper.patch +cve-2012-3436.patch
Attachment:
signature.asc
Description: Digital signature