oss-sec mailing list archives
Re: About CVE-2012-5645
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 29 Dec 2012 20:48:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2012 05:26 PM, Marko Lindqvist wrote:
I saw message that Freeciv bug #20003 has been assigned CVE-2012-5645 : http://seclists.org/oss-sec/2012/q4/484 I'd like to clarify things a bit. It was not single issue, but more like two separate issues. Most importantly this leads to patch listed (http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670) to fix only part of the problems described. Something like: A denial of service flaw was found in the way the server component of Freeciv, a turn-based, multi-player, X based strategy game, processed certain packets (invalid packets with whole packet length lower than packet header size). A remote attacker could send a specially-crafted packet that, when processed would lead to freeciv server to terminate (due to memory exhaustion) The other half: A denial of service flaw was found in the way the server component of Freeciv, a turn-based, multi-player, X based strategy game, processed certain packets (syntactically valid packets, but whose processing would lead to an infinite loop). A remote attacker could send a specially-crafted packet that, when processed would lead to freeciv server to become unresponsive (due to excessive CPU use). is fixed in http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 Both are fixed in 2.3.3 (and patch versions applied to the stable branch S2_3 release was made from: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 , http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 ) - ML
Hmm I'm waffling here. The issues are the same version/reporter, roughly the same, can you post the http://cwe.mitre.org/ identifiers for these two issues? If they are different enough this might warrant a CVE split but for now I'm leaving it merged. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ37l2AAoJEBYNRVNeJnmTTkkQAJjFSeE5ooOK0OsMUzyCNqgC /rlMkokbTgM+BjIc6vSwNl5Kt46k5qhCfz9DR2u0JQDCk71IkeWSohiSug2zBy9E 3kkCRX3+csQZnksYWLWwIu4kZa+4LY1NoGGNr0c+ZZZ89i2ZMpiu5ywdoovn722g PY67l8Nw2UrpOY68Cf/ydBFKW/WxkWUUIpI6X6Fs0E3NwvL6Hi8JRkOFTGKLvhfN xEH7Xgp/YHw/WDSiPmTTtSSKLZx9h5SM6+Yv/h7oEU2mvNDqmMRkAYyv2+nW/A+Q rxCRFvw8vb/woXIR+Mbqe37M9JHMxPJYnPD3t9au9+jA1Dcfp6NC7wGCMuDzXvDZ 34FV2L8h10RP//P3XN4kNtMScJxD2H+l3hzGjNFm8ZToHAdElkoy0ns/T04Tr0Mp 0sjoUhUL7nwBYf17BTzwPdY9I7XfCBxlvqbyDTd5EjGKYBuOfLvnr5WMdflY1/RN a/VkACs7vJ3kXkBllUudfAL/YncGCxmwQjYEzDbafKkiwoPa5IqXxOIhLh9Gw5ej ruHcAkCgxYiJmnCk6aH69OFM3w5nYrz4mwctfGfk7TKLYdBvhfzL3VYB3X3DvID0 1mTwIqD8jHJ5o/zLg/DddNLkwgllvKNDmsaSCIcd4Q4uees9ghPXbc8rtFA5ld6N +1VR77CoqnGLb2OUJa/v =LoLH -----END PGP SIGNATURE-----
Current thread:
- About CVE-2012-5645 Marko Lindqvist (Dec 21)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 29)
- Re: About CVE-2012-5645 Marko Lindqvist (Dec 30)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 30)
- Re: About CVE-2012-5645 Marko Lindqvist (Dec 30)
- Re: About CVE-2012-5645 Kurt Seifried (Dec 29)