Re: Half Life dedicated server Patch

[Shaun Meckler <shaun () TRUCKMASTER COM>]

Nathan Woodcock wrote:
> > - Rcon buffer overflow fixed.
> >
> > It does not make any mention of the format string
> bug as mentioned in
> > 'Tamandua Sekure Labs Security Advisory 2000-01'
>
> Leon Hartwig, the coder of the linux half-life patch
> port, has confirmed in email on the hlds_linux mailing
> list that this exploit was most definately fixed.

Not what I would consider 'most definately fixed', but their word is
they were unable to substantiate the claims of the advisory.  Other
sources questioned the integrity of the advisory, as it did not even
have the correct version numbers posted on it.

Btw, the original advisory is located at:
http://www.securityfocus.com/archive/1/141060

-------- Original Message --------
Subject: RE: Security Fixed by new patch?
Date: Fri, 27 Oct 2000 08:13:59 -0400
From: Leon Hartwig <hartwig () valvesoftware com>
Reply-To: hlds_linux () valvesoftware com
To: hlds_linux () valvesoftware com

Well, the crash I was talking about applied to a format string problem
elsewhere (when a player first connected to the server), not to rcon.

However, I have tried to reproduce the rcon format string bug that is
mentioned in the security advisory and I have not been able to do so.  I
have also combed through the related code and have found no problems.
Has
anyone actually encountered this alleged bug on their server?