Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: opu, pu Severity: normal Hi folks, upstream developers for the openttd package have identified a remote denial-of-service (program crash) in the openttd game. They have made patches available, which I'd like to include in wheezy and squeeze. I contacted the security team, who wrote: > Thanks for this. Given that it's "just" a denial of service attack in > a game server, I think we may consider this not serious enough to > warrant a DSA, but could instead better be fixed in a stable point > update. To arrange that, you can contact the stable release managers. So here I am :-) Upstream has provided detailed information about the issue: http://security.openttd.org/en/CVE-2013-6411 Attached are debdiffs against the current squeeze and wheezy versions, which add the upstream patches. The debdiff still uses the -security archives, for the actual upload I'll change that to stable/oldstable instead. I don't think special care wrt including orig tarballs is needed, like with the security archive? Note that in the wheezy version, there is also an unrelated change, the debian/gbp.conf file is ignored in the source package (I needed to change it to build for wheezy, so better ignore it entirely). If this is problematic, I can leave out this change and manually pass some gbp options, but this is more convenient for me, also with future versions. I've reproduced the crash with the unpatched versions and verified that the patches prevent the crash from occuring. There is no need to keep this issue confidential, upstream just did a new release which announces this problem and the fix. If these changes look ok, I'll go ahead and upload the packages for the stable/oldstable archives. Gr. Matthijs
diff -Nru openttd-1.0.4/debian/changelog openttd-1.0.4/debian/changelog --- openttd-1.0.4/debian/changelog 2012-07-31 18:00:18.000000000 +0200 +++ openttd-1.0.4/debian/changelog 2013-11-29 12:29:29.000000000 +0100 @@ -1,3 +1,11 @@ +openttd (1.0.4-7) squeeze-security; urgency=high + + * [d2a7867] Fix CVE-2013-6411 (Denial of service using forcefully + crashed aircrafts). See http://security.openttd.org/en/CVE-2013-6411 + for details. + + -- Matthijs Kooijman <matthijs@stdin.nl> Fri, 29 Nov 2013 12:11:14 +0100 + openttd (1.0.4-6) stable-security; urgency=high * [9ca1ffd] Improve patch for CVE-2012-3436. diff -Nru openttd-1.0.4/debian/patches/cve-2013-6411.patch openttd-1.0.4/debian/patches/cve-2013-6411.patch --- openttd-1.0.4/debian/patches/cve-2013-6411.patch 1970-01-01 01:00:00.000000000 +0100 +++ openttd-1.0.4/debian/patches/cve-2013-6411.patch 2013-11-29 12:29:29.000000000 +0100 @@ -0,0 +1,47 @@ +Subject: fix for vulnerability CVE-2013-6411 for OpenTTD 1.0.0 - 1.1.5 (Denial of service (server) using forcefully crashed aircrafts.) +From: OpenTTD developer team <info@openttd.org> +Origin: backport, http://vcs.openttd.org/svn/changeset/26134 +Bug: http://bugs.openttd.org/task/5820 + +Denial of service using aircrafts that are forcefully crashed. + +Simple steps to reproduce the issue, and show the severity: + Start a new game. For this reproduction you do not need to start a server; + you can see the crash locally, but due to the nature of OpenTTD the crash + will also happen on the server you're playing on in multiplayer + Build an airport at the map corner and join it with rail station + Make this airport the order destination for planes which will start + from another place, or use the close airport feature, and then they may + also start from the same airport + Wait until all planes are sky high and rotating around the corner airport + In case aircraft are launched from another airport, remove that airport + Remove the airport part of the corner airport, and leave only the rail station + Remove the rail station part + Wait for the aircraft to keep circling and eventually crash due to lack of fuel + Server segfaults due to invalid memory access (stable releases), or triggering + of an assertion (most other builds) + +The problem is caused by incorrectly handling the fact that the aircraft circling the +corner airport will be outside of the bounds of the map. In the 'out of fuel' crash +code the height of the tile under the aircraft is determined. In this case that means +a tile outside of the allocated map array, which could occasionally trigger invalid +reads. + +The fix makes sure the height of the map border is used when the aircraft is outside +of the map. + + +Index: src/aircraft_cmd.cpp +=================================================================== +--- a/src/aircraft_cmd.cpp (revision 25160) ++++ b/src/aircraft_cmd.cpp (working copy) +@@ -988,7 +988,7 @@ + + /* make aircraft crash down to the ground */ + if (v->crashed_counter < 500 && st == NULL && ((v->crashed_counter % 3) == 0) ) { +- uint z = GetSlopeZ(v->x_pos, v->y_pos); ++ int z = GetSlopeZ(Clamp(v->x_pos, 0, MapMaxX() * TILE_SIZE), Clamp(v->y_pos, 0, MapMaxY() * TILE_SIZE)); + v->z_pos -= 1; + if (v->z_pos == z) { + v->crashed_counter = 500; + diff -Nru openttd-1.0.4/debian/patches/series openttd-1.0.4/debian/patches/series --- openttd-1.0.4/debian/patches/series 2012-07-31 18:00:18.000000000 +0200 +++ openttd-1.0.4/debian/patches/series 2013-11-29 12:29:29.000000000 +0100 @@ -5,3 +5,4 @@ cve-2011-3343.patch cve-2012-0049.patch cve-2012-3436.patch +cve-2013-6411.patch
diff -Nru openttd-1.2.1/debian/changelog openttd-1.2.1/debian/changelog --- openttd-1.2.1/debian/changelog 2012-09-19 09:51:05.000000000 +0200 +++ openttd-1.2.1/debian/changelog 2013-11-29 11:21:15.000000000 +0100 @@ -1,3 +1,12 @@ +openttd (1.2.1-3) wheezy-security; urgency=high + + * [81d0ce5] Fix CVE-2013-6411 (Denial of service using forcefully + crashed aircrafts). See http://security.openttd.org/en/CVE-2013-6411 + for details. + * [b9207a4] Exclude debian/gpb.conf from the source package + + -- Matthijs Kooijman <matthijs@stdin.nl> Fri, 29 Nov 2013 11:06:33 +0100 + openttd (1.2.1-2) unstable; urgency=high * [e7a5026] Fix CVE-2012-3436 (Denial of service using ships on half diff -Nru openttd-1.2.1/debian/gbp.conf openttd-1.2.1/debian/gbp.conf --- openttd-1.2.1/debian/gbp.conf 2012-09-19 09:51:05.000000000 +0200 +++ openttd-1.2.1/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 @@ -1,13 +0,0 @@ -[DEFAULT] -# Use pristine-tar -pristine-tar = True - -[git-dch] -# We use metaheaders in commit messages. -meta = True -# Put git commit ids in the debian changelog. -id-length = 7 - -[git-import-orig] -# Use a custom commit message for upstream imports. -import-msg = New upstream release %(version)s. diff -Nru openttd-1.2.1/debian/patches/cve-2013-6411.patch openttd-1.2.1/debian/patches/cve-2013-6411.patch --- openttd-1.2.1/debian/patches/cve-2013-6411.patch 1970-01-01 01:00:00.000000000 +0100 +++ openttd-1.2.1/debian/patches/cve-2013-6411.patch 2013-11-29 11:21:15.000000000 +0100 @@ -0,0 +1,47 @@ +Subject: fix for vulnerability CVE-2013-6411 for OpenTTD 1.2.0 - 1.3.2 (Denial of service (server) using forcefully crashed aircrafts.) +From: OpenTTD developer team <info@openttd.org> +Origin: backport, http://vcs.openttd.org/svn/changeset/26134 +Bug: http://bugs.openttd.org/task/5820 + +Denial of service using aircrafts that are forcefully crashed. + +Simple steps to reproduce the issue, and show the severity: + Start a new game. For this reproduction you do not need to start a server; + you can see the crash locally, but due to the nature of OpenTTD the crash + will also happen on the server you're playing on in multiplayer + Build an airport at the map corner and join it with rail station + Make this airport the order destination for planes which will start + from another place, or use the close airport feature, and then they may + also start from the same airport + Wait until all planes are sky high and rotating around the corner airport + In case aircraft are launched from another airport, remove that airport + Remove the airport part of the corner airport, and leave only the rail station + Remove the rail station part + Wait for the aircraft to keep circling and eventually crash due to lack of fuel + Server segfaults due to invalid memory access (stable releases), or triggering + of an assertion (most other builds) + +The problem is caused by incorrectly handling the fact that the aircraft circling the +corner airport will be outside of the bounds of the map. In the 'out of fuel' crash +code the height of the tile under the aircraft is determined. In this case that means +a tile outside of the allocated map array, which could occasionally trigger invalid +reads. + +The fix makes sure the height of the map border is used when the aircraft is outside +of the map. + + +Index: src/aircraft_cmd.cpp +=================================================================== +--- a/src/aircraft_cmd.cpp (revision 26133) ++++ b/src/aircraft_cmd.cpp (working copy) +@@ -1021,7 +1021,7 @@ + + /* make aircraft crash down to the ground */ + if (v->crashed_counter < 500 && st == NULL && ((v->crashed_counter % 3) == 0) ) { +- int z = GetSlopePixelZ(v->x_pos, v->y_pos); ++ int z = GetSlopePixelZ(Clamp(v->x_pos, 0, MapMaxX() * TILE_SIZE), Clamp(v->y_pos, 0, MapMaxY() * TILE_SIZE)); + v->z_pos -= 1; + if (v->z_pos == z) { + v->crashed_counter = 500; + diff -Nru openttd-1.2.1/debian/patches/series openttd-1.2.1/debian/patches/series --- openttd-1.2.1/debian/patches/series 2012-09-19 09:51:05.000000000 +0200 +++ openttd-1.2.1/debian/patches/series 2013-11-29 11:21:15.000000000 +0100 @@ -1,2 +1,3 @@ run-openttd-wrapper.patch cve-2012-3436.patch +cve-2013-6411.patch
Attachment:
signature.asc
Description: Digital signature