发布时间 :2006-08-31 17:04:00
修订时间 :2008-09-05 17:06:18

[原文]Array index error in tetrinet.c in gtetrinet 0.7.8 and earlier allows remote attackers to execute arbitrary code via a packet specifying a negative number of players, which is used as an array index.

[CNNVD]GTetrinet tetrinet.c程序数组索引错误漏洞(CNNVD-200608-505)

        gtetrinet 0.7.8及早期版本的tetrinet.c程序存在数组索引错误,远程攻击者可借助将玩家数指定为负数的数据包来执行任意代码。而玩家数会被用于数组索引。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  GENTOO  GLSA-200609-02
(UNKNOWN)  XF  gtetrinet-array-indexing-code-execution(28683)
(UNKNOWN)  BID  19766

- 漏洞信息

GTetrinet tetrinet.c程序数组索引错误漏洞
高危 资料不足
2006-08-31 00:00:00 2006-09-15 00:00:00
        gtetrinet 0.7.8及早期版本的tetrinet.c程序存在数组索引错误,远程攻击者可借助将玩家数指定为负数的数据包来执行任意代码。而玩家数会被用于数组索引。

- 公告与补丁

        GTetrinet GTetrinet 0.7.8
        Debian gtetrinet_0.7.8-1sarge2_alpha.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_alpha.deb
        Debian gtetrinet_0.7.8-1sarge2_amd64.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_amd64.deb
        Debian gtetrinet_0.7.8-1sarge2_arm.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_arm.deb
        Debian gtetrinet_0.7.8-1sarge2_hppa.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_hppa.deb
        Debian gtetrinet_0.7.8-1sarge2_i386.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_i386.deb
        Debian gtetrinet_0.7.8-1sarge2_ia64.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_ia64.deb
        Debian gtetrinet_0.7.8-1sarge2_m68k.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_m68k.deb
        Debian gtetrinet_0.7.8-1sarge2_mips.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_mips.deb
        Debian gtetrinet_0.7.8-1sarge2_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_mipsel.deb
        Debian gtetrinet_0.7.8-1sarge2_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_powerpc.deb
        Debian gtetrinet_0.7.8-1sarge2_s390.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_s390.deb
        Debian gtetrinet_0.7.8-1sarge2_sparc.deb
        Debian GNU/Linux 3.1 alias sarge .8-1sarge2_sparc.deb

- 漏洞信息 (F49685)

Debian Linux Security Advisory 1163-1 (PacketStormID:F49685)
2006-09-07 00:00:00

Debian Security Advisory 1163-1 - Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remove server to execute arbitrary code.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1163-1                                       Martin Schulze
August 30th, 2006             
- --------------------------------------------------------------------------

Package        : gtetrinet
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3125

Michael Gehring discovered several potential out-of-bounds index
accesses in gtetrinet, a multiplayer Tetris-like game, which may allow
a remove server to execute arbitrary code.

For the stable distribution (sarge) these problems have been fixed in
version 0.7.8-1sarge2.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your gtetrinet package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:     1458 f0e79e08b32da17b7fec81953058bfd6
      Size/MD5 checksum:     6536 8e5ec47971abaefe25c81eddbd08df03
      Size/MD5 checksum:   513790 bff5b52ead863ac2ac859880abbab2c4

  Alpha architecture:
      Size/MD5 checksum:   305500 ada4429dedbe5c2a6481e2a0a7c2b8aa

  AMD64 architecture:
      Size/MD5 checksum:   295034 657a0a323a479444ed04becdd494726d

  ARM architecture:
      Size/MD5 checksum:   289166 7fceb7b8fd84d2e4e4792222e1ea74bf

  Intel IA-32 architecture:
      Size/MD5 checksum:   291430 8e395773c184dfdb379342fc3805e9ce

  Intel IA-64 architecture:
      Size/MD5 checksum:   316198 76659d5ee5072dfb30c58d9967239936

  HP Precision architecture:
      Size/MD5 checksum:   297686 c55008b4d7d679311a41a331cd3fc437

  Motorola 680x0 architecture:
      Size/MD5 checksum:   284212 9b70187f40dac186929be12f38c900dc

  Big endian MIPS architecture:
      Size/MD5 checksum:   291736 9a30091ac2ab35a65bb4f0689dca0705

  Little endian MIPS architecture:
      Size/MD5 checksum:   290484 1fc68ebb2e3ea41326500e6394c41a6e

  PowerPC architecture:
      Size/MD5 checksum:   293458 8b005ce2049acc89205c9aa74dd3fc4f

  IBM S/390 architecture:
      Size/MD5 checksum:   295194 2fc0597edcad6cc1af5d7b08c734ae08

  Sun Sparc architecture:
      Size/MD5 checksum:   289322 e944d44ed1aa2e9ae32d9d8571affd33

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.5 (GNU/Linux)



- 漏洞信息

GTetrinet pnum Multiple Array Indexing Remote Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

GTetrinet contains multiple flaws related to out-of-bounds array indexing that may allow an attacker to execute arbitrary code. The flaw exists in tetrinet.c, where a remote attacker may specify a negative number of players, which is used as an array index.

- 时间线

2006-08-30 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.7.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

GTetrinet Index Out of Bounds Unspecified Remote Code Execution Vulnerability
Unknown 19766
Yes No
2006-08-30 12:00:00 2006-10-24 06:53:00
Michael Gehring is credited with discovering this vulnerability.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
GTetrinet GTetrinet 0.7.8
GTetrinet GTetrinet 0.4.4
GTetrinet GTetrinet 0.4.3
GTetrinet GTetrinet 0.4.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
GTetrinet GTetrinet 0.4.1
+ Debian Linux 3.0
GTetrinet GTetrinet 0.4
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

GTetrinet is prone to an unspecified remote vulnerability. This issue is reportedly due to multiple out-of-bounds index-access flaws.

A remote attacker may exploit this issue to execute arbitrary machine code on the affected computer with the privileges of the user running the vulnerable application.

Very little information is currently available on this vulnerability. This BID will be updated as more information becomes available.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

mailto:vuldb@securityfocus.comThird-party vendor security updates have been released to address this issue. Please see the referenced advisories for more information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

GTetrinet GTetrinet 0.7.8

- 相关参考