Re: [oss-security] CVE Request: Planeshift buffer overflow

Kurt Seifried <kseifried@xxxxxxxxxx> · Thu, 17 May 2012 14:28:57 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2012 08:52 AM, Andres Gomez wrote:
> Name: Stack-based buffer overflow in Planeshift 0.5.9 and earlier 
> Software: Planeshift 0.5.9 Software link:
> http://www.planeshift.it/ Vulnerability Type: Buffer overflow
> 
> Vulnerability Details:
> 
> There is a buffer overflow in planeshift/src/client/chatbubbles.cpp
> line 223:
> 
> . . .
> 
> // align csString align = chatNode->GetAttributeValue("align"); 
> align.Downcase(); if (align == "right") chat.textSettings.align =
> ETA_RIGHT; else if (align == "center") chat.textSettings.align =
> ETA_CENTER; else chat.textSettings.align = ETA_LEFT;
> 
> // prefix 223>  strcpy(chat.effectPrefix, 
> chatNode->GetAttributeValue("effectPrefix"));
> 
> //enabled . . .
> 
> this line reads a tag inside chatbubbles.xml called effectPrefix.
> If that string is very long, for example:
> 
> <chat type="say" enabled="yes" colourR="186" colourG="168"
> colourB="126" shadowR="108" shadowG="98" shadowB="73" align="left" 
> effectPrefix="chatbubble_AAAAA....AAAAA" />
> 
> It will overwrite effectPrefix[64] buffer, which can lead even to
> arbitrary code execution.
> 
> 
> Could a CVE be assigned to this issue?

I'm not familiar with this software (it's a game?) the chat bubbles,
can they come from remote users (like some sort of internal game chat)?

> Thanks,
> 
> Andres Gomez.
> 

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtV+JAAoJEBYNRVNeJnmTRtcP/R+w6vfmWPlfF2DDjxmOS25f
qpAnIWXWQWAQ0xv1AJbbeuCd/ChnYG6BHiRpe3RQFHm2LeFJugfWIMrwJyWyVkuD
cf4/5+hxhc7tY8vze51C9budUQZoeo+jalGt5eoOk0mCUqDR2RoLn8Pg2UEzsloO
HNNWlWJ2xP3Qt2cuHbBMQIa3RUA0vFh+cUSP2mvLe//pS/FljLt5k78kV1wzAUEw
DsuxNYoNJ5DoMWSCltsXSsN0tbIGr5vlHkHkWfXzs7POB2dRtJakJj30AkPdpt7r
FZuwoEuvPRsLgrNa6LFpnsbFI9Bw0St3K+XKm+upa0S0o8plI/iUYFhuZOdTkpyf
GaHtSpRoeVZgW8M/yvM3k3Lh/nPywI/ORBrdLcELrgrjMTh/rMyAgh4IBYTYNpaX
Lyca8ZigbmyHzgWF8v/oujdu+9Pu9sdxlPxLMBv9omYa9Sqr8M6U0+OPbXDYzJD1
NQ1ReT2YYQml/KcX3H9/IQ9TL+/1/lpWnY5pEbx6ya/X7jVNKkkDOBAkwkSzgEgD
x5xYC8hxhXSDov3iIpzeZBlN3shRP+BKXCbhbb9ZxPN0fOI8IuJNVUaSzAxTQb5f
+jJuoWVkdr2Rp5cmOonX1wFo1LRvNH8ZD6FXOb+ano+Hwktm+aJCjyxpSSmqXOHb
mYPLwJ9J3ZupuIgFY/lx
=EgCI
-----END PGP SIGNATURE-----