- Add 0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch

[CVE-2019-20797, boo#1171974]

OBS-URL: https://build.opensuse.org/package/show/games/prboom-plus?expand=0&rev=34

0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch

@@ -0,0 +1,74 @@
+From 1a081d10e6c71a5b5b2db76081227677f06b47b3 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Mon, 1 Jun 2020 09:53:23 +0200
+Subject: [PATCH] fix heap buffer overflows in UDP code (CVE-2019-20797) (#85)
+Origin: https://github.com/coelckers/prboom-plus
+
+* fix heap buffer overflows in UDP code (CVE-2019-20797)
+
+* Limit length of buffer passed over to ChecksumPacket().
+  Patch taken from the OP at https://logicaltrust.net/blog/2019/10/prboom1.html
+
+* Never send more than one second worth of tics (i.e. 35) in both the
+  main() routine in d_server.c and NetUpdate() in d_client.c.
+  This avoids overflows of the allocated UDF buffer with a fixed size
+  of 10000 bytes. Theoretically, up to about 35 seconds could be sent in the
+  client code and up to about 7 seconds in the server code, but the
+  network game would be unplayable with such a lag anyway.
+
+  Client code: pkt_size = 8 + 2 + X * 8 (= 9810 for X = 35*35)
+  Server code: pkt_size = 8 + 1 + X * (1 + 4 * (1 + 8)) (= 9074 for X = 7 * 35)
+
+Fixes: #84
+
+* limit number of sent tics to 128
+
+* fix brain bug
+---
+ src/SDL/i_network.c | 2 +-
+ src/d_client.c      | 2 +-
+ src/d_server.c      | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/SDL/i_network.c b/src/SDL/i_network.c
+index 89edab78..7e02706a 100644
+--- a/src/SDL/i_network.c
++++ b/src/SDL/i_network.c
+@@ -240,7 +240,7 @@ size_t I_GetPacket(packet_header_t* buffer, size_t buflen)
+   checksum=buffer->checksum;
+   buffer->checksum=0;
+   if ( (status!=0) && (len>0)) {
+-    byte psum = ChecksumPacket(buffer, udp_packet->len);
++    byte psum = ChecksumPacket(buffer, len); // https://logicaltrust.net/blog/2019/10/prboom1.html
+ /*    fprintf(stderr, "recvlen = %u, stolen = %u, csum = %u, psum = %u\n",
+   udp_packet->len, len, checksum, psum); */
+     if (psum == checksum) return len;
+diff --git a/src/d_client.c b/src/d_client.c
+index 7ce74d4e..054bc595 100644
+--- a/src/d_client.c
++++ b/src/d_client.c
+@@ -351,7 +351,7 @@ void NetUpdate(void)
+       int sendtics;
+       remotesend -= xtratics;
+       if (remotesend < 0) remotesend = 0;
+-      sendtics = maketic - remotesend;
++      sendtics = MIN(maketic - remotesend, 128); // limit number of sent tics (CVE-2019-20797)
+       {
+   size_t pkt_size = sizeof(packet_header_t) + 2 + sendtics * sizeof(ticcmd_t);
+   packet_header_t *packet = Z_Malloc(pkt_size, PU_STATIC, NULL);
+diff --git a/src/d_server.c b/src/d_server.c
+index 1269a861..39c2e3cd 100644
+--- a/src/d_server.c
++++ b/src/d_server.c
+@@ -682,7 +682,7 @@ int main(int argc, char** argv)
+       int tics;
+       if (lowtic <= remoteticto[i]) continue;
+       if ((remoteticto[i] -= xtratics) < 0) remoteticto[i] = 0;
+-      tics = lowtic - remoteticto[i];
++      tics = MIN(lowtic - remoteticto[i], 128); // limit number of sent tics (CVE-2019-20797)
+       {
+         byte *p;
+         packet = malloc(sizeof(packet_header_t) + 1 +
+-- 
+2.26.2
+

prboom-plus.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jun  9 20:32:48 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
+
+- Add 0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch
+  [CVE-2019-20797, boo#1171974]
+
 -------------------------------------------------------------------
 Sun Jun  7 22:32:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
 

prboom-plus.spec

@@ -25,6 +25,7 @@ Group:          Amusements/Games/3D/Shoot
 URL:            http://prboom-plus.sf.net/
 
 #SVN-Clone:	https://svn.prboom.org/repos/branches/prboom-plus-24/prboom2
+#Sibling-Prj:	https://github.com/coelckers/prboom-plus (umapinfo fork)
 #DL-URL:	http://downloads.sf.net/prboom-plus/prboom-plus-2.5.1.4.tar.gz
 Source:         prboom2-%version.tar.xz
 Patch1:         prboom-nodatetime.diff
@@ -34,6 +35,7 @@ Patch5:         prboom-enable-tessellation.diff
 Patch6:         prboom-hbar-color.diff
 Patch7:         prboom-hbar-all.diff
 Patch8:         prboom-hbar-gradient.diff
+Patch9:         0001-fix-heap-buffer-overflows-in-UDP-code-CVE-2019-20797.patch
 BuildRequires:  Mesa-devel
 BuildRequires:  automake
 BuildRequires:  fluidsynth-devel