Subject: xpilot (games/xpilot) vulnerability.
To: None <tech-pkg@netbsd.org>
From: Richard Rauch <rauch@rice.edu>
List: tech-pkg
Date: 07/12/2002 08:24:29
While poking around the xpilot.org site (curious about their MS-WINDOWS
support, actually; (^&), I noticed a remark that the game server (xpilots)
has a security vulnerability.  (It was fixed a while back, but our package
is a bit crufty, predating the fix.)

After contacting them, they did not seem eager to contact the NetBSD
package people, but provided me with the following information:

 * The server has a buffer overrun error.  The server can be crashed,
   and one can (at least theoretically) run arbitrary code.

 * It only affects the server.  (If you just run the client, you are
   unaffected.)

 * It affects all versions, not just the MS-WINDOWS version, prior
   to 4.5.1.

 * There does not seem to be any seperate patch (or details on the
   problem).  You might be able to dig it out of their CVS archive,
   but it's probably simplest just to upgrade to the current release
   (4.5.3).  (NetBSD's pkgsrc version is something like 4.4.)

 * The xpilot meta-server for connecting to hosts filters out xpilot
   servers that predate the fix.  (I.e., if you run a server built from
   current pkgsrc, you won't get too many players.)


I thought that it was better to comment here than to file a PR.  It
probably should be fixed before the 1.6 release, I assume: I don't think
that anything depends upon xpilot.  The problem is potentially severe.
The current (4.5.3) version compiles painlessly for me and has been
subjected to some testing...(^&

At the very least, the package auditing ``vulnerabilities'' file should
probably be updated.

I don't have any more specific information on the problem


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu