Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: About CVE-2012-5645
From: Marko Lindqvist <cazfi74 () gmail com>
Date: Sun, 30 Dec 2012 13:05:42 +0200

On 30 December 2012 05:48, Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/21/2012 05:26 PM, Marko Lindqvist wrote:
I saw message that Freeciv bug #20003 has been assigned
CVE-2012-5645 : http://seclists.org/oss-sec/2012/q4/484

I'd like to clarify things a bit. It was not single issue, but
more like two separate issues. Most importantly this leads to patch
listed
(http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670)
to fix only part of the problems described. Something like:

A denial of service flaw was found in the way the server component
of Freeciv, a turn-based, multi-player, X based strategy game,
processed certain packets (invalid packets with whole packet length
lower than packet header size). A remote attacker could send a
specially-crafted packet that, when processed would lead to freeciv
server to terminate (due to memory exhaustion)


The other half: A denial of service flaw was found in the way the
server component of Freeciv, a turn-based, multi-player, X based
strategy game, processed certain packets (syntactically valid
packets, but whose processing would lead to an infinite loop). A
remote attacker could send a specially-crafted packet that, when
processed would lead to freeciv server to become unresponsive (due
to excessive CPU use).

is fixed in
http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701



Both are fixed in 2.3.3 (and patch versions applied to the stable
branch S2_3 release was made from:
http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 ,
http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 )


- ML


Hmm I'm waffling here. The issues are the same version/reporter,
roughly the same, can you post the http://cwe.mitre.org/ identifiers
for these two issues? If they are different enough this might warrant
a CVE split but for now I'm leaving it merged.

 Yes, had it fixes for both parts listed from the start, there would
be no problem. The problem is the confusion over where CVE-2012-5645
is really fixed. Based on the original description here some
distributions claim CVE-2012-5645 fixed now that they have applied one
patch only. If you just add second fix to CVE-2012-5645, there will be
no way of telling if particular logmsg about "CVE-2012-5645 fixed"
means it's fixed completely, or only half of it.


 - ML


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]