From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Dec 2 13:50:01 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EAD87888 for ; Mon, 2 Dec 2013 13:50:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C5E1614D1 for ; Mon, 2 Dec 2013 13:50:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rB2Do0Mi047555 for ; Mon, 2 Dec 2013 13:50:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rB2Do0Se047523; Mon, 2 Dec 2013 13:50:00 GMT (envelope-from gnats) Resent-Date: Mon, 2 Dec 2013 13:50:00 GMT Resent-Message-Id: <201312021350.rB2Do0Se047523@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "rum1cro@yandex.ru" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D469693 for ; Mon, 2 Dec 2013 13:48:41 +0000 (UTC) Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E412914AB for ; Mon, 2 Dec 2013 13:48:40 +0000 (UTC) Received: from oldred.freebsd.org ([127.0.1.6]) by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id rB2DmeHX020912 for ; Mon, 2 Dec 2013 13:48:40 GMT (envelope-from nobody@oldred.freebsd.org) Received: (from nobody@localhost) by oldred.freebsd.org (8.14.5/8.14.5/Submit) id rB2Dmece020908; Mon, 2 Dec 2013 13:48:40 GMT (envelope-from nobody) Message-Id: <201312021348.rB2Dmece020908@oldred.freebsd.org> Date: Mon, 2 Dec 2013 13:48:40 GMT From: "rum1cro@yandex.ru" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/184434: [patch] security/vuxml openttd: Denial of service (server) using forcefully crashed aircrafts. X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2013 13:50:01 -0000 >Number: 184434 >Category: ports >Synopsis: [patch] security/vuxml openttd: Denial of service (server) using forcefully crashed aircrafts. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Dec 02 13:50:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: rum1cro@yandex.ru >Release: FreeBSD 11.0-CURRENT >Organization: Home Inc. ^_^ >Environment: FreeBSD m1cro.park 11.0-CURRENT FreeBSD 11.0-CURRENT #3 r256311M: Fri Oct 11 13:38:42 MSK 2013 root@m1cro.park:/usr/obj/usr/src/sys/MICROKERNEL amd64 >Description: [patch] security/vuxml openttd: Denial of service (server) using forcefully crashed aircrafts. >How-To-Repeat: >Fix: Patch was attached or there: http://m1cro.tk/ports/security/vuxml/vuxml_openttd-1.3.3.patch Patch attached with submission follows: Index: vuln.xml =================================================================== --- vuln.xml (revision 335482) +++ vuln.xml (working copy) @@ -51,6 +51,39 @@ --> + + openttd -- Denial of service using forcefully crashed aircrafts + + + openttd + 0.3.61.3.3 + + + + +

OpenTTD reports:

+
+

The problem is caused by incorrectly handling the fact that + the aircraft circling the corner airport will be outside of the bounds + of the map. In the 'out of fuel' crash code the height of the tile + under the aircraft is determined. In this case that means a tile + outside of the allocated map array, which could occasionally + trigger invalid reads.

+
+ + + + CVE-2013-6411 + https://security.openttd.org/en/CVE-2013-6411 + http://bugs.openttd.org/task/5820 + http://vcs.openttd.org/svn/changeset/26134 + + + 2013-11-28 + 2013-11-28 + + + monitorix -- serious bug in the built-in HTTP server >Release-Note: >Audit-Trail: >Unformatted: