oss-sec mailing list archives
Re: CVE Request: Planeshift buffer overflow
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 17 May 2012 14:28:57 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/17/2012 08:52 AM, Andres Gomez wrote:
Name: Stack-based buffer overflow in Planeshift 0.5.9 and earlier Software: Planeshift 0.5.9 Software link: http://www.planeshift.it/ Vulnerability Type: Buffer overflow Vulnerability Details: There is a buffer overflow in planeshift/src/client/chatbubbles.cpp line 223: . . . // align csString align = chatNode->GetAttributeValue("align"); align.Downcase(); if (align == "right") chat.textSettings.align = ETA_RIGHT; else if (align == "center") chat.textSettings.align = ETA_CENTER; else chat.textSettings.align = ETA_LEFT; // prefix 223> strcpy(chat.effectPrefix, chatNode->GetAttributeValue("effectPrefix")); //enabled . . . this line reads a tag inside chatbubbles.xml called effectPrefix. If that string is very long, for example: <chat type="say" enabled="yes" colourR="186" colourG="168" colourB="126" shadowR="108" shadowG="98" shadowB="73" align="left" effectPrefix="chatbubble_AAAAA....AAAAA" /> It will overwrite effectPrefix[64] buffer, which can lead even to arbitrary code execution. Could a CVE be assigned to this issue?
I'm not familiar with this software (it's a game?) the chat bubbles, can they come from remote users (like some sort of internal game chat)?
Thanks, Andres Gomez.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPtV+JAAoJEBYNRVNeJnmTRtcP/R+w6vfmWPlfF2DDjxmOS25f qpAnIWXWQWAQ0xv1AJbbeuCd/ChnYG6BHiRpe3RQFHm2LeFJugfWIMrwJyWyVkuD cf4/5+hxhc7tY8vze51C9budUQZoeo+jalGt5eoOk0mCUqDR2RoLn8Pg2UEzsloO HNNWlWJ2xP3Qt2cuHbBMQIa3RUA0vFh+cUSP2mvLe//pS/FljLt5k78kV1wzAUEw DsuxNYoNJ5DoMWSCltsXSsN0tbIGr5vlHkHkWfXzs7POB2dRtJakJj30AkPdpt7r FZuwoEuvPRsLgrNa6LFpnsbFI9Bw0St3K+XKm+upa0S0o8plI/iUYFhuZOdTkpyf GaHtSpRoeVZgW8M/yvM3k3Lh/nPywI/ORBrdLcELrgrjMTh/rMyAgh4IBYTYNpaX Lyca8ZigbmyHzgWF8v/oujdu+9Pu9sdxlPxLMBv9omYa9Sqr8M6U0+OPbXDYzJD1 NQ1ReT2YYQml/KcX3H9/IQ9TL+/1/lpWnY5pEbx6ya/X7jVNKkkDOBAkwkSzgEgD x5xYC8hxhXSDov3iIpzeZBlN3shRP+BKXCbhbb9ZxPN0fOI8IuJNVUaSzAxTQb5f +jJuoWVkdr2Rp5cmOonX1wFo1LRvNH8ZD6FXOb+ano+Hwktm+aJCjyxpSSmqXOHb mYPLwJ9J3ZupuIgFY/lx =EgCI -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Planeshift buffer overflow Andres Gomez (May 17)
- Re: CVE Request: Planeshift buffer overflow Kurt Seifried (May 17)
- Re: CVE Request: Planeshift buffer overflow Andres Gomez (May 17)
- Re: CVE Request: Planeshift buffer overflow Kurt Seifried (May 17)
- Re: CVE Request: Planeshift buffer overflow Andres Gomez (May 17)
- Re: CVE Request: Planeshift buffer overflow Kurt Seifried (May 17)
- Re: CVE Request: Planeshift buffer overflow Andres Gomez (May 17)
- Re: CVE Request: Planeshift buffer overflow Kurt Seifried (May 17)