Bug#683376: unblock: openttd/1.2.2-1 or openttd/1.2.1-2

To: Julien Cristau <jcristau@debian.org>, Steven Chamberlain <steven@pyro.eu.org>, 683376@bugs.debian.org
Subject: Bug#683376: unblock: openttd/1.2.2-1 or openttd/1.2.1-2
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Wed, 19 Sep 2012 11:15:03 +0200
Message-id: <[🔎] 20120919091503.GF31991@login.drsnuggles.stderr.nl>
Mail-followup-to: Matthijs Kooijman <matthijs@stdin.nl>, Julien Cristau <jcristau@debian.org>, Steven Chamberlain <steven@pyro.eu.org>, 683376@bugs.debian.org
Reply-to: Matthijs Kooijman <matthijs@stdin.nl>, 683376@bugs.debian.org
In-reply-to: <20120824214117.GE31825@login.drsnuggles.stderr.nl>
References: <20120731084720.16516.26085.reportbug@grubby.stderr.nl> <20120817170821.GP21274@login.drsnuggles.stderr.nl> <50300C9C.3010601@pyro.eu.org> <20120824124045.GG5694@radis.cristau.org> <20120824214117.GE31825@login.drsnuggles.stderr.nl>

Hi folks,

since it seems the Release Team cannot find the time to review my big
debdiff and this bug should really not remain unfixed for so long, I
went ahead and uploaded the 1.2.1-2 version to unstable, which contains
just the backported fix for the security problem.

For convenience, I've added the relevant (small) debdiffs to this mail
again (identical to the ones I previously sent).

Please unblock openttd/1.2.1-2 and forget about the new upstream
version.

Gr.

Matthijs

File lists identical (after any substitutions)

Control files of package openttd: lines which differ (wdiff format)
-------------------------------------------------------------------
Depends: libc6 (>= 2.11), libfontconfig1 (>= [-2.8.0),-] {+2.9.0),+} libfreetype6 (>= 2.2.1), libgcc1 (>= 1:4.1.1), libicu48 (>= 4.8-1), liblzma5 (>= [-5.1.1alpha+20110809),-] {+5.1.1alpha+20120614),+} liblzo2-2, libpng12-0 (>= 1.2.13-4), libsdl1.2debian (>= 1.2.11), libstdc++6 (>= 4.6), zlib1g (>= 1:1.1.4), openttd-data (= [-1.2.1-1)-] {+1.2.1-2)+}
Installed-Size: [-5654-] {+5685+}
Version: [-1.2.1-1-] {+1.2.1-2+}

Control files of package openttd-data: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-1.2.1-1-] {+1.2.1-2+}

Control files of package openttd-dbg: lines which differ (wdiff format)
-----------------------------------------------------------------------
Depends: openttd (= [-1.2.1-1)-] {+1.2.1-2)+}
Installed-Size: [-44139-] {+48063+}
Version: [-1.2.1-1-] {+1.2.1-2+}

diff -Nru openttd-1.2.1/debian/changelog openttd-1.2.1/debian/changelog
--- openttd-1.2.1/debian/changelog	2012-06-01 21:24:34.000000000 +0200
+++ openttd-1.2.1/debian/changelog	2012-08-01 23:21:04.000000000 +0200
@@ -1,3 +1,11 @@
+openttd (1.2.1-2) unstable; urgency=high
+
+  * [e7a5026] Fix CVE-2012-3436 (Denial of service using ships on half
+    tiles and landscaping). See
+    http://security.openttd.org/en/CVE-2012-3436 for details.
+
+ -- Matthijs Kooijman <matthijs@stdin.nl>  Wed, 01 Aug 2012 23:20:31 +0200
+
 openttd (1.2.1-1) unstable; urgency=low
 
   * [306c3ac] New upstream release 1.2.1.
diff -Nru openttd-1.2.1/debian/patches/cve-2012-3436.patch openttd-1.2.1/debian/patches/cve-2012-3436.patch
--- openttd-1.2.1/debian/patches/cve-2012-3436.patch	1970-01-01 01:00:00.000000000 +0100
+++ openttd-1.2.1/debian/patches/cve-2012-3436.patch	2012-08-01 23:21:04.000000000 +0200
@@ -0,0 +1,72 @@
+Subject: fix for vulnerability CVE-2012-3436 for OpenTTD 1.2.0 - 1.2.1 (Denial of service (server) using ships on half tiles and landscaping.)
+From: OpenTTD developer team <info@openttd.org>
+Origin: backport, http://vcs.openttd.org/svn/changeset/24439 http://vcs.openttd.org/svn/changeset/24449 
+Bug: http://bugs.openttd.org/task/5254 
+
+Denial of service using ships on half tiles and landscaping.
+
+Simple steps to reproduce the issue, and show the severity:
+ start a new game. For this reproduction you do not need to start a server;
+   you can see the crash locally, but due to the nature of OpenTTD the crash
+   will also happen on the server you're playing on with multiplayer.
+ build some horizontal or vertical track at the coast, so that half of the
+   tile remains water or coast. The tile should either have
+   one corner raised with flat water on one half tile (case 1)
+   or two adjacent corners raised with coast on the sloped half tile (case 2)
+ build a ship depot, a ship and a dock at the coast, and start the ship
+ obstruct the path of the ship in a way so that it enters the tile with half
+   railtrack and half water
+ landscape the tile by raising the water corner while the ship is on it
+   (only needed in case 1)
+ both cases will make the ship end up on land
+ remove the track using the "remove track" tool while the ship is on the tile
+ server segfaults due to NULL pointer dereference.
+
+The problem is caused by incorrectly handling the water/coast aspect of tiles
+which also have railtracks on one half.
+The fix adds the correct checks to the landscaping and movement code.
+
+If you try to reproduce this with the patch applied you'll see that,
+in case 1, step 5 will deny the terraforming and in case 2 the ship simply
+won't try to enter the coast tile.
+
+This bug was triggered incidentally by a user playing online when landscaping
+near a ship. We have not seen any signs of this bug being exploited forcefully.
+
+
+--- a/src/rail_cmd.cpp
++++ b/src/rail_cmd.cpp
+@@ -2604,7 +2604,7 @@
+ static TrackStatus GetTileTrackStatus_Track(TileIndex tile, TransportType mode, uint sub_mode, DiagDirection side)
+ {
+ 	/* Case of half tile slope with water. */
+-	if (mode == TRANSPORT_WATER && IsPlainRail(tile) && GetRailGroundType(tile) == RAIL_GROUND_WATER) {
++	if (mode == TRANSPORT_WATER && IsPlainRail(tile) && GetRailGroundType(tile) == RAIL_GROUND_WATER && IsSlopeWithOneCornerRaised(GetTileSlope(tile))) {
+ 		TrackBits tb = GetTrackBits(tile);
+ 		switch (tb) {
+ 			default: NOT_REACHED();
+@@ -2925,6 +2925,14 @@
+ 	return  cost;
+ }
+ 
++/**
++ * Test-procedure for HasVehicleOnPos to check for a ship.
++ */
++static Vehicle *EnsureNoShipProc(Vehicle *v, void *data)
++{
++	return v->type == VEH_SHIP ? v : NULL;
++}
++
+ static CommandCost TerraformTile_Track(TileIndex tile, DoCommandFlag flags, int z_new, Slope tileh_new)
+ {
+ 	int z_old;
+@@ -2934,6 +2942,9 @@
+ 		/* Is there flat water on the lower halftile that must be cleared expensively? */
+ 		bool was_water = (GetRailGroundType(tile) == RAIL_GROUND_WATER && IsSlopeWithOneCornerRaised(tileh_old));
+ 
++		/* Allow clearing the water only if there is no ship */
++		if (was_water && HasVehicleOnPos(tile, NULL, &EnsureNoShipProc)) return_cmd_error(STR_ERROR_SHIP_IN_THE_WAY);
++
+ 		/* First test autoslope. However if it succeeds we still have to test the rest, because non-autoslope terraforming is cheaper. */
+ 		CommandCost autoslope_result = TestAutoslopeOnRailTile(tile, flags, z_old, tileh_old, z_new, tileh_new, rail_bits);
+ 
diff -Nru openttd-1.2.1/debian/patches/series openttd-1.2.1/debian/patches/series
--- openttd-1.2.1/debian/patches/series	2012-06-01 21:24:34.000000000 +0200
+++ openttd-1.2.1/debian/patches/series	2012-08-01 23:21:04.000000000 +0200
@@ -1 +1,2 @@
 run-openttd-wrapper.patch
+cve-2012-3436.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: Dropping loop-aes-utils from d-i-meta-faux?
Next by Date: Bug#688096: unblock: bsnes/0.088-5 (pre-approval)
Previous by thread: Re: mass bug filing about packages manipulating conffiles (policy 10.7.3)
Next by thread: Bug#688096: unblock: bsnes/0.088-5 (pre-approval)
Index(es):
- Date
- Thread