[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- Freeciv (X < 2.3.3): DoS (memory exhaustion or excessive CPU consu
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-12-18 17:04:49
Message-ID: 50D0A231.4050802 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/18/2012 07:13 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> Freeciv upstream has released 2.3.3 version correcting one security
> issue:
> 
> A denial of service flaw was found in the way the server component 
> of Freeciv, a turn-based, multi-player, X based strategy game, 
> processed certain packets (invalid packets with whole packet
> length lower than packet header size or syntactically valid
> packets, but whose processing would lead to an infinite loop). A
> remote attacker could send a specially-crafted packet that, when
> processed would lead to freeciv server to terminate (due to memory
> exhaustion) or become unresponsive (due to excessive CPU use).
> 
> References: [1] http://aluigi.altervista.org/adv/freecivet-adv.txt 
> [2] https://bugs.gentoo.org/show_bug.cgi?id=447490 [3]
> http://freeciv.wikia.com/wiki/NEWS-2.3.3 [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=888331
> 
> Upstream bug report: [5] http://gna.org/bugs/?20003
> 
> Relevant patch (against trunk): [6]
> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-5645 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ0KIxAAoJEBYNRVNeJnmTTigQAJ/zsEZ07mUjKA2zMh1EOH3v
CD1UgfkRQ0/lym+Eg55JGzSRzXai7yfWhhp1T+jsLqED4+kKGryJFE1eprvyRMdL
Je7PAZl67sfrdVW+nBOFUhlIIc7jiKp2vGqj826M4nzcRZbWdYL9hdFhqxlDEnyq
8dx623jwPOiMFv5N3epX3aE7T5F92MAwGZrPu3tqI4E+B+ho4o12Z2OxZvoS6azG
FZNWdl9QJ607+YI9Dd2JZ3kpa/T+k9IEImjvCP6QHnmc4UDQVmMPoyV4UXXyleDS
8kEZLuKzJ2x5+pC/NcHjyt9chOovSuFkbCQut3WYBENz1qZBjyThjEbxfoFATAR+
sAiRLoM6+rmNN5pBFFKiIypXCsaHz5PbWLXNWZkjGYsitHvNrY7vp700jweMXMFh
hR9VlRw0zgBja5PYq5S8B/25YcmwzGtpl4zQBFBYJDv+v3WJE07yWeVCY50zEI3c
jQ4yG7n8rJE0/tEHdNrIP4zBbYjmLoi3KtgEaSzDfMGIo4qHPbGbHg9fOZqBSv6S
XSm/mVOsV4cwWrcUJFyQolEXCjUtuj/hqVY8tNUPCnUlUo3c3PAoQGGM+Cvx584Z
0R6SPuni35ABgKJznjvectvaiTD9CMVX1DZHj0sJtoaSUkr9MB1UuDB1/ADpO+t5
6pVDRu12YymToTPHKzHh
=cXYM
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]