Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fab...@debian.org
Fix for CVE-2020-14983, which doesn't really warrant a DSA.
Debdiff attached.
Cheers,
Moritz
diff -Nru chocolate-doom-3.0.0/debian/changelog
chocolate-doom-3.0.0/debian/changelog
--- chocolate-doom-3.0.0/debian/changelog 2018-02-14 22:16:30.000000000
+0100
+++ chocolate-doom-3.0.0/debian/changelog 2020-09-18 20:26:53.000000000
+0200
@@ -1,3 +1,9 @@
+chocolate-doom (3.0.0-4+deb10u1) buster; urgency=medium
+
+ * CVE-2020-14983
+
+ -- Moritz Mühlenhoff <j...@debian.org> Fri, 18 Sep 2020 20:26:53 +0200
+
chocolate-doom (3.0.0-4) unstable; urgency=medium
* Backport patch from upstream GIT to build bash-completion
diff -Nru chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
--- chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
1970-01-01 01:00:00.000000000 +0100
+++ chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch
2020-09-18 17:25:58.000000000 +0200
@@ -0,0 +1,70 @@
+From f1a8d991aa8a14afcb605cf2f65cd15fda204c56 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fab...@greffrath.com>
+Date: Wed, 24 Jun 2020 12:45:03 +0200
+Subject: [PATCH 1/2] net: fix missing server-side num_players validation
+ (CVE-2020-14983)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't
+validate the user-controlled num_players value, leading to a buffer
+overflow. A malicious user can overwrite the server's stack.
+
+Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust.
+
+Fixes: #1293.
+---
+ src/net_structrw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/net_structrw.c b/src/net_structrw.c
+index 437bc71a5..2dbd2740a 100644
+--- a/src/net_structrw.c
++++ b/src/net_structrw.c
+@@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet,
net_gamesettings_t *settings)
+ return false;
+ }
+
+- for (i = 0; i < settings->num_players; ++i)
++ for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
+ {
+ if (!NET_ReadInt8(packet,
+ (unsigned int *) &settings->player_classes[i]))
+
+From 54fb12eeaa7d527defbe65e7e00e37d5feb7c597 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fab...@greffrath.com>
+Date: Wed, 24 Jun 2020 12:49:14 +0200
+Subject: [PATCH 2/2] net: fix missing client-side ticdup validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The client does not validate settings coming from the server. The
+ticdup value is used as a divider in arithmetic operations. If the
+server sends this value equal to zero, the client will crash with a
+Floating Pointer Exception.
+
+Found by Michał Dardas from LogicalTrust.
+
+Fixes: #1292.
+---
+ src/d_loop.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/d_loop.c b/src/d_loop.c
+index 61a42d546..b963054a4 100644
+--- a/src/d_loop.c
++++ b/src/d_loop.c
+@@ -413,6 +413,11 @@ void D_StartNetGame(net_gamesettings_t *settings,
+ ticdup = settings->ticdup;
+ new_sync = settings->new_sync;
+
++ if (ticdup < 1)
++ {
++ I_Error("D_StartNetGame: invalid ticdup value (%d)", ticdup);
++ }
++
+ // TODO: Message disabled until we fix new_sync.
+ //if (!new_sync)
+ //{
diff -Nru chocolate-doom-3.0.0/debian/patches/series
chocolate-doom-3.0.0/debian/patches/series
--- chocolate-doom-3.0.0/debian/patches/series 2018-02-14 21:20:05.000000000
+0100
+++ chocolate-doom-3.0.0/debian/patches/series 2020-09-18 17:26:46.000000000
+0200
@@ -17,3 +17,4 @@
0018-hexen-Remove-test-code-mistakenly-added.patch
0017-hexen-Fix-spelling-error.patch
0001-bash-completion-Build-from-actual-shell-script-templ.patch
+0019-CVE-2020-14983.patch
