Vulnerabilities > CVE-2019-10878 - Out-of-bounds Write vulnerability in Teeworlds 0.7.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Teeworlds 0.7.2, there is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions in engine/shared/datafile.cpp that can lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1793.NASL description This update for teeworlds fixes the following issues : - CVE-2019-10879: An integer overflow in CDataFileReader::Open() could have lead to a buffer overflow and possibly remote code execution, because size-related multiplications were mishandled. (boo#1131729) - CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions could have lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution. - CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a buffer overflow, because multiplication of width and height were mishandled. - CVE-2018-18541: Connection packets could have been forged. There was no challenge-response involved in the connection build up. A remote attacker could have sent connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets. (boo#1112910) - Update to version 0.7.3.1 - Colorful gametype and level icons in the browser instead of grayscale. - Add an option to use raw mouse inputs, revert to (0.6) relative mode by default. - Demo list marker indicator. - Restore ingame Player and Tee menus, add a warning that a reconnect is needed. - Emotes can now be cancelled by releasing the mouse in the middle of the circle. - Improve add friend text. - Add a confirmation for removing a filter - Add a last seen 2020-06-01 modified 2020-06-02 plugin id 126977 published 2019-07-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126977 title openSUSE Security Update : teeworlds (openSUSE-2019-1793) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-1793. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(126977); script_version("1.2"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2018-18541", "CVE-2019-10877", "CVE-2019-10878", "CVE-2019-10879"); script_name(english:"openSUSE Security Update : teeworlds (openSUSE-2019-1793)"); script_summary(english:"Check for the openSUSE-2019-1793 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for teeworlds fixes the following issues : - CVE-2019-10879: An integer overflow in CDataFileReader::Open() could have lead to a buffer overflow and possibly remote code execution, because size-related multiplications were mishandled. (boo#1131729) - CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions could have lead to an arbitrary free and out-of-bounds pointer write, possibly resulting in remote code execution. - CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a buffer overflow, because multiplication of width and height were mishandled. - CVE-2018-18541: Connection packets could have been forged. There was no challenge-response involved in the connection build up. A remote attacker could have sent connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets. (boo#1112910) - Update to version 0.7.3.1 - Colorful gametype and level icons in the browser instead of grayscale. - Add an option to use raw mouse inputs, revert to (0.6) relative mode by default. - Demo list marker indicator. - Restore ingame Player and Tee menus, add a warning that a reconnect is needed. - Emotes can now be cancelled by releasing the mouse in the middle of the circle. - Improve add friend text. - Add a confirmation for removing a filter - Add a 'click a player to follow' hint - Also hint players which key they should press to set themselves ready. - fixed using correct array measurements when placing egg doodads - fixed demo recorder downloaded maps using the sha256 hash - show correct game release version in the start menu and console - Fix platform-specific client libraries for Linux - advanced scoreboard with game statistics - joystick support (experimental!) - copy paste (one-way) - bot cosmetics (a visual difference between players and NPCs) - chat commands (type / in chat) - players can change skin without leaving the server (again) - live automapper and complete rules for 0.7 tilesets - audio toggling HUD - an Easter surprise... - new gametypes: 'last man standing' (LMS) and 'last team standing' (LTS). survive by your own or as a team with limited weaponry - 64 players support. official gametypes are still restricted to 16 players maximum but allow more spectators - new skin system. build your own skins based on a variety of provided parts - enhanced security. all communications require a handshake and use a token to counter spoofing and reflection attacks - new maps: ctf8, dm3, lms1. Click to discover them! - animated background menu map: jungle, heavens (day/night themes, customisable in the map editor) - new design for the menus: added start menus, reworked server browser, settings - customisable gametype icons (browser). make your own! - chat overhaul, whispers (private messages) - composed binds (ctrl+, shift+, alt+) - scoreboard remodelled, now shows kills/deaths - demo markers - master server list cache (in case the masters are unreachable) - input separated from rendering (optimisation) - upgrade to SDL2. support for multiple monitors, non-english keyboards, and more - broadcasts overhaul, optional colours support - ready system, for competitive settings - server difficulty setting (casual, competitive, normal), shown in the browser - spectator mode improvements: follow flags, click on players - bot flags for modified servers: indicate NPCs, can be filtered out in the server browser - sharper graphics all around (no more tileset_borderfix and dilate) - refreshed the HUD, ninja cooldown, new mouse cursor - mapres update (higher resolution, fixes...)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1112910" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1131729" ); script_set_attribute( attribute:"solution", value:"Update the affected teeworlds packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:teeworlds"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:teeworlds-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:teeworlds-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"teeworlds-0.7.3.1-lp151.2.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"teeworlds-debuginfo-0.7.3.1-lp151.2.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"teeworlds-debugsource-0.7.3.1-lp151.2.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "teeworlds / teeworlds-debuginfo / teeworlds-debugsource"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-D29E04FA11.NASL description Restore s390x builds. ---- 0.7.3.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124687 published 2019-05-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124687 title Fedora 30 : teeworlds (2019-d29e04fa11) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-d29e04fa11. # include("compat.inc"); if (description) { script_id(124687); script_version("1.3"); script_cvs_date("Date: 2020/01/21"); script_cve_id("CVE-2019-10877", "CVE-2019-10878", "CVE-2019-10879"); script_xref(name:"FEDORA", value:"2019-d29e04fa11"); script_name(english:"Fedora 30 : teeworlds (2019-d29e04fa11)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Restore s390x builds. ---- 0.7.3.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-d29e04fa11" ); script_set_attribute( attribute:"solution", value:"Update the affected teeworlds package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:teeworlds"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"teeworlds-0.7.3.1-2.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "teeworlds"); }
References
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00077.html
- https://github.com/teeworlds/teeworlds/issues/2073
- https://github.com/teeworlds/teeworlds/issues/2073
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KCS2CFDYJFBLZ4QKVPNJWHOZEGQ2LBC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KCS2CFDYJFBLZ4QKVPNJWHOZEGQ2LBC/