Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189

[Andres Gomez <agomez () fluidsignal com>]

Speed Dreams (http://www.speed-dreams.org/) is also vulnerable due It is a
TORCS's fork, and they both share most of the code.
Should I ask for a new CVE number? or can I use CVE-2012-1189 for this
issue?

By the way, how can I get disclosed  CVE-2012-1189 details in mitre web
page, since TORCS and Speed Dreams people have already fixed the bugs?.

Regards.

2012/2/18 Andres Gomez <agomez () fluidsignal com>

> http://www.exploit-db.com/exploits/18471/
> http://www.torcs.org
>
> Hi,
>
> I have found another exploitable buffer overflow in torcs, this time it
> does'nt have relation with plib.
> The problem is in:
>
> torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:
>
> 96     char filename[512];
>         FILE *file = NULL;
>
>         // ENGINE PARAMS
>         tdble rpm_scale;
>         param = GfParmGetStr(handle, "Sound", "engine sample",
> "engine-1.wav");
>         rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
> 103   sprintf (filename, "cars/%s/%s", car->_carName, param);
>         file = fopen(filename, "r");
>         if (!file)
>         {
> 107             sprintf (filename, "data/sound/%s", param);
>         }
>         else
>         {
>             fclose(file);
>         }
>
> This section reads a configuration sound option from [any-car].xml, for
> example:
>
> <section name="Sound">
>         <attstr name="engine sample" val="renault-v10.wav"/>
>         <attnum name="rpm scale" val="0.35"/>
> </section>
>
> if audio file name in "engine sample" is enough long it could overwrite
> "filename" buffer (line 96),
> because there is not size validation in line 103 (also in line 107).
>
> I have already notified vendor.
>
> Please use CVE-2012-1189 for this issue.
>
> Regards.
>
> Andrés Gómez