Fri Mar 2 18:50:10 EST 2007 quozl@us.netrek.org tagged 2.12.1 Fri Mar 2 18:42:52 EST 2007 quozl@us.netrek.org * 2.12.1 release, security update, format string vulnerability EVENTLOG=1 * ntserv/warning.c, robots/rmove.c: fix security vulnerability in message handling reported by Luigi Auriemma. This vulnerability is present if the server is configured with EVENTLOG=1 in etc/sysdef, (the default is EVENTLOG=0) and is confirmed present in release 2.12.0. User input was passed to vsprintf as a format string. diff -rN -u old-netrek-server-2.12.1-security/Vanilla/ChangeLog new-netrek-server-2.12.1-security/Vanilla/ChangeLog --- old-netrek-server-2.12.1-security/Vanilla/ChangeLog 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/ChangeLog 2007-03-02 19:03:22.000000000 +1100 @@ -1,3 +1,9 @@ +Fri Mar 2 18:36:14 2007 James Cameron + + * netrek-server-vanilla-2.12.1 released, fixes format string + security vulnerability with messaging when EVENTLOG=1 in + etc/sysdef. + Thu Dec 28 08:34:16 2006 James Cameron * netrek-server-vanilla-2.12.0 released diff -rN -u old-netrek-server-2.12.1-security/Vanilla/Makefile.in new-netrek-server-2.12.1-security/Vanilla/Makefile.in --- old-netrek-server-2.12.1-security/Vanilla/Makefile.in 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/Makefile.in 2007-03-02 19:03:22.000000000 +1100 @@ -5,7 +5,7 @@ # PACKAGE=netrek-server-vanilla -VERSION=2.12.0 +VERSION=2.12.1 RANLIB = @RANLIB@ VPATH = @srcdir@ diff -rN -u old-netrek-server-2.12.1-security/Vanilla/NEWS new-netrek-server-2.12.1-security/Vanilla/NEWS --- old-netrek-server-2.12.1-security/Vanilla/NEWS 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/NEWS 2007-03-02 19:03:22.000000000 +1100 @@ -1,3 +1,7 @@ +2.12.1: released 2007-03-02 + +- fixes format string security vulnerability when EVENTLOG=1 + 2.12.0: released 2006-12-27 Summary diff -rN -u old-netrek-server-2.12.1-security/Vanilla/README.releasing new-netrek-server-2.12.1-security/Vanilla/README.releasing --- old-netrek-server-2.12.1-security/Vanilla/README.releasing 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/README.releasing 2007-03-02 19:03:22.000000000 +1100 @@ -4,8 +4,8 @@ cd Vanilla # set variables -VS=2.12.0 -VL=v_2_12_0 +VS=2.12.1 +VL=v_2_12_1 PN=netrek-server-vanilla # check version numbers in files diff -rN -u old-netrek-server-2.12.1-security/Vanilla/debian/changelog new-netrek-server-2.12.1-security/Vanilla/debian/changelog --- old-netrek-server-2.12.1-security/Vanilla/debian/changelog 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/debian/changelog 2007-03-02 19:03:22.000000000 +1100 @@ -1,3 +1,9 @@ +netrek-server-vanilla (2.12.1-0) unstable; urgency=low + + * fix message format string vulnerability + + -- James Cameron Fri, 2 Mar 2007 18:35:36 +1100 + netrek-server-vanilla (2.12.0-0) unstable; urgency=low * begin diff -rN -u old-netrek-server-2.12.1-security/Vanilla/include/patchlevel.h new-netrek-server-2.12.1-security/Vanilla/include/patchlevel.h --- old-netrek-server-2.12.1-security/Vanilla/include/patchlevel.h 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/include/patchlevel.h 2007-03-02 19:03:22.000000000 +1100 @@ -12,7 +12,7 @@ * (a) reset this to zero before each major release, and; * (b) increment this number before each patch release. */ -#define PATCHLEVEL 0 +#define PATCHLEVEL 1 #if !defined(NULL) #define NULL 0 #endif diff -rN -u old-netrek-server-2.12.1-security/Vanilla/ntserv/socket.c new-netrek-server-2.12.1-security/Vanilla/ntserv/socket.c --- old-netrek-server-2.12.1-security/Vanilla/ntserv/socket.c 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/ntserv/socket.c 2007-03-02 19:03:22.000000000 +1100 @@ -1752,7 +1752,7 @@ return; } group |= packet->group; - pmessage2(packet->indiv, group, addrbuf, me->p_no,"%s",packet->mesg); + pmessage2(packet->indiv, group, addrbuf, me->p_no, "%s", packet->mesg); #ifdef CHECKMESG if(checkmessage){ if(check_mesgs(packet)) diff -rN -u old-netrek-server-2.12.1-security/Vanilla/ntserv/warning.c new-netrek-server-2.12.1-security/Vanilla/ntserv/warning.c --- old-netrek-server-2.12.1-security/Vanilla/ntserv/warning.c 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/ntserv/warning.c 2007-03-02 19:03:22.000000000 +1100 @@ -45,7 +45,7 @@ char from_str[9]="WRN->\0\0\0"; strcat(from_str, me->p_mapchars); - pmessage2(0, 0, from_str, me->p_no, temp); + pmessage2(0, 0, from_str, me->p_no, "%s", temp); } #endif /* CHECKMESG */ diff -rN -u old-netrek-server-2.12.1-security/Vanilla/robots/rmove.c new-netrek-server-2.12.1-security/Vanilla/robots/rmove.c --- old-netrek-server-2.12.1-security/Vanilla/robots/rmove.c 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/robots/rmove.c 2007-03-02 19:03:22.000000000 +1100 @@ -220,7 +220,7 @@ sprintf(towhom, " %s->%s", players[me->p_no].p_mapchars, players[enemy->p_no].p_mapchars); - pmessage2(enemy->p_no, MINDIV,towhom,me->p_no, + pmessage2(enemy->p_no, MINDIV, towhom, me->p_no, "%s", robo_message(enemy)); } else if (target >= 0 && !quiet) { diff -rN -u old-netrek-server-2.12.1-security/Vanilla/rpm/netrek.spec new-netrek-server-2.12.1-security/Vanilla/rpm/netrek.spec --- old-netrek-server-2.12.1-security/Vanilla/rpm/netrek.spec 2007-03-02 19:03:22.000000000 +1100 +++ new-netrek-server-2.12.1-security/Vanilla/rpm/netrek.spec 2007-03-02 19:03:22.000000000 +1100 @@ -1,6 +1,6 @@ Summary: Netrek Software Suite Name: netrek -Version: 2.12.0 +Version: 2.12.1 Release: 0 Copyright: Undetermined Packager: Vanilla Server Development Team