Re: CVE request for OpenTTD

[frosch <frosch () openttd org>]

> On 07/27/2012 03:42 PM, frosch wrote:
> > Hello,
> >
> > we, the OpenTTD developers, have identified a security
> > vulnerability in OpenTTD (an open source game with multiplayer).
> > Would you be so kind as to allocate a CVE id for this issue?
> >
> > The issue concerns a denial of service vulnerabilty which enables 
> > an attacker to force the server into an invalid game state. The 
> > server will abort upon detecting this state. This attack can be
> > performed using an unmodified client via normal game interaction.
> > The attack requires authorization, but most servers do not
> > implement authorization. The first vulnerable version is 0.6.0, the
> > upcoming 1.2.2 release will have the issue fixed.
> >
> > Once a CVE id is allocated, the issue and fix will be documented
> > at http://security.openttd.org/CVE-2012-xxxx
> >
> > Thanks in advance, Christoph 'frosch' Elsenhans
> >
> > (Please CC me, I'm not subscribed)
>
> Sorry can you please provide links to an advisory, code commit, or
> something so we have a reference?
trunk commit: http://vcs.openttd.org/svn/changeset/24439/
Bug report: http://bugs.openttd.org/task/5254

Later on http://security.openttd.org/CVE-2012-xxxx will supply patches
for all vulnerable versions, and also link to the bug tracker and
related commits.

Regards