Re: CVE id request: openttd

["Steven M. Christey" <coley () linus mitre org>]

On Mon, 4 Aug 2008, Nico Golde wrote:

> "OpenTTD servers of version 0.6.1 and below are susceptible to a remotely
> exploitable buffer overflow when the server is filled with companies and
> clients with names that are (near) the maximum allowed length for names.
> In the worst case OpenTTD will write the following (mostly remotely
> changable bytes) into 1460 bytes of malloc-ed memory:
> up to 11 times (amount of players) 118 bytes
> up to 8 times (amount of companies) 124 bytes
> and 7 "header" bytes
> Resulting in up to 2297 bytes being written in 1460 bytes of malloc-ed
> memory. This makes it possible to remotely crash the game or change the
> gamestate into an unrecoverable state.  "
>
> This is Debian bug #493714.

Use CVE-2008-3547 (to be updated later) for this issue, as reported.

If Secunia wound up reporting a distinct bug, that would need an
additional CVE.

- Steve