Gentoo: Crossfire server Denial of Service and potential - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Security Week: February 6th, 2012

Linux Advisory Watch: February 3rd, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Gentoo: Crossfire server Denial of Service and potential

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

The Crossfire game server is vulnerable to a Denial of Service and potentially to the execution of arbitrary code.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200604-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Crossfire server: Denial of Service and potential arbitrary
            code execution
      Date: April 22, 2006
      Bugs: #126169
        ID: 200604-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Crossfire game server is vulnerable to a Denial of Service and
potentially to the execution of arbitrary code.

Background
==========

Crossfire is a cooperative multiplayer graphical adventure and
role-playing game. The Crossfire game server allows various compatible
clients to connect to participate in a cooperative game.

Affected packages
=================

    -------------------------------------------------------------------
     Package                        /  Vulnerable  /        Unaffected
    -------------------------------------------------------------------
  1  games-server/crossfire-server       < 1.9.0              >= 1.9.0

Description
===========

Luigi Auriemma discovered a vulnerability in the Crossfire game server,
in the handling of the "oldsocketmode" option when processing overly
large requests.

Impact
======

An attacker can set up a malicious Crossfire client that would send a
large request in "oldsocketmode", resulting in a Denial of Service on
the Crossfire server and potentially in the execution of arbitrary code
on the server with the rights of the game server.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Crossfire server users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=games-server/crossfire-server-1.9.0"

References
==========

  [ 1 ] CVE-2006-1010
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1010

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200604-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0