Re: About CVE-2012-5645

[Marko Lindqvist <cazfi74 () gmail com>]

On 30 December 2012 05:48, Kurt Seifried <kseifried () redhat com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/21/2012 05:26 PM, Marko Lindqvist wrote:
> > I saw message that Freeciv bug #20003 has been assigned
> > CVE-2012-5645 : http://seclists.org/oss-sec/2012/q4/484
> >
> > I'd like to clarify things a bit. It was not single issue, but
> > more like two separate issues. Most importantly this leads to patch
> > listed
> > (http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670)
> > to fix only part of the problems described. Something like:
> >
> > A denial of service flaw was found in the way the server component
> > of Freeciv, a turn-based, multi-player, X based strategy game,
> > processed certain packets (invalid packets with whole packet length
> > lower than packet header size). A remote attacker could send a
> > specially-crafted packet that, when processed would lead to freeciv
> > server to terminate (due to memory exhaustion)
> >
> >
> > The other half: A denial of service flaw was found in the way the
> > server component of Freeciv, a turn-based, multi-player, X based
> > strategy game, processed certain packets (syntactically valid
> > packets, but whose processing would lead to an infinite loop). A
> > remote attacker could send a specially-crafted packet that, when
> > processed would lead to freeciv server to become unresponsive (due
> > to excessive CPU use).
> >
> > is fixed in
> > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701
> >
> >
> >
> > Both are fixed in 2.3.3 (and patch versions applied to the stable
> > branch S2_3 release was made from:
> > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 ,
> > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 )
> >
> >
> > - ML
>
> Hmm I'm waffling here. The issues are the same version/reporter,
> roughly the same, can you post the http://cwe.mitre.org/ identifiers
> for these two issues? If they are different enough this might warrant
> a CVE split but for now I'm leaving it merged.

 Yes, had it fixes for both parts listed from the start, there would
be no problem. The problem is the confusion over where CVE-2012-5645
is really fixed. Based on the original description here some
distributions claim CVE-2012-5645 fixed now that they have applied one
patch only. If you just add second fix to CVE-2012-5645, there will be
no way of telling if particular logmsg about "CVE-2012-5645 fixed"
means it's fixed completely, or only half of it.


 - ML