svn commit: r335546 - in head: games/openttd security/vuxml

Alexey Dokuchaev danfe at FreeBSD.org
Tue Dec 3 06:28:05 UTC 2013 

Author: danfe
Date: Tue Dec  3 06:28:03 2013
New Revision: 335546
URL: http://svnweb.freebsd.org/changeset/ports/335546

Log:
  Update to version 1.3.3, which fixes an important crashy bug: denial of
  service (server) using forcefully crashed aircrafts.
  
  While here, reduce the diffs between other OpenTTD's VuXML entries; and
  limit build logs verbosity to bulk package builders (or batch builds).
  
  PR:		ports/184434, ports/184435
  Submitted by:	Ilya A. Arkhipov
  Security:	CVE-2013-6411

Modified:
  head/games/openttd/Makefile
  head/games/openttd/distinfo
  head/security/vuxml/vuln.xml

Modified: head/games/openttd/Makefile
==============================================================================
--- head/games/openttd/Makefile	Tue Dec  3 02:37:51 2013	(r335545)
+++ head/games/openttd/Makefile	Tue Dec  3 06:28:03 2013	(r335546)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openttd
-PORTVERSION=	1.3.2
+PORTVERSION=	1.3.3
 CATEGORIES=	games
 MASTER_SITES=	http://ftp.snt.utwente.nl/pub/games/openttd/binaries/releases/${PORTVERSION}/ \
 		http://us.binaries.openttd.org/binaries/releases/${PORTVERSION}/
@@ -21,7 +21,10 @@ USE_XZ=		yes
 HAS_CONFIGURE=	yes
 CONFIGURE_ENV=	STRIP="${STRIP_CMD} ${STRIP}"
 CONFIGURE_ARGS=	--prefix-dir="${PREFIX}" --data-dir="${DATADIR_REL}"
-MAKE_ARGS=	VERBOSE=1		# We want to see what's going on
+
+.if defined(BATCH) || defined(PACKAGE_BUILDING)
+MAKE_ARGS=	VERBOSE=1
+.endif
 
 WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
 CXXFLAGS=	# Set to empty as OpenTTD treats it as an addition to CFLAGS

Modified: head/games/openttd/distinfo
==============================================================================
--- head/games/openttd/distinfo	Tue Dec  3 02:37:51 2013	(r335545)
+++ head/games/openttd/distinfo	Tue Dec  3 06:28:03 2013	(r335546)
@@ -1,2 +1,2 @@
-SHA256 (openttd-1.3.2-source.tar.xz) = f6efc0cd0c4f4315a98844c331acc2e02322d5671ec376b9f0a11795b0eb270b
-SIZE (openttd-1.3.2-source.tar.xz) = 6347104
+SHA256 (openttd-1.3.3-source.tar.xz) = 6991ed2c0170481800c3a92a1b43546821a658de91d3ac7efe868588387eca5d
+SIZE (openttd-1.3.3-source.tar.xz) = 6370128

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Dec  3 02:37:51 2013	(r335545)
+++ head/security/vuxml/vuln.xml	Tue Dec  3 06:28:03 2013	(r335546)
@@ -51,6 +51,39 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="d2073237-5b52-11e3-80f7-c86000cbc6ec">
+    <topic>OpenTTD -- Denial of service using forcefully crashed aircrafts</topic>
+    <affects>
+      <package>
+	<name>openttd</name>
+	<range><ge>0.3.6</ge><lt>1.3.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenTTD Team reports:</p>
+	<blockquote cite="https://security.openttd.org/en/CVE-2013-6411">
+	  <p>The problem is caused by incorrectly handling the fact that
+	    the aircraft circling the corner airport will be outside of the
+	    bounds of the map.  In the 'out of fuel' crash code the height
+	    of the tile under the aircraft is determined.  In this case
+	    that means a tile outside of the allocated map array, which
+	    could occasionally trigger invalid reads.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-6411</cvename>
+      <url>https://security.openttd.org/en/CVE-2013-6411</url>
+      <url>http://bugs.openttd.org/task/5820</url>
+      <url>http://vcs.openttd.org/svn/changeset/26134</url>
+    </references>
+    <dates>
+      <discovery>2013-11-28</discovery>
+      <entry>2013-11-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="620cf713-5a99-11e3-878d-20cf30e32f6d">
     <topic>monitorix -- serious bug in the built-in HTTP server</topic>
     <affects>
@@ -12132,7 +12165,7 @@ executed in your Internet Explorer while
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>OpenTTD reports:</p>
+	<p>The OpenTTD Team reports:</p>
 	<blockquote cite="http://security.openttd.org/en/CVE-2012-3436">
 	  <p>Denial of service (server) using ships on half tiles and
 	    landscaping.</p>
@@ -28394,7 +28427,7 @@ executed in your Internet Explorer while
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
-	<p>OpenTTD project reports:</p>
+	<p>The OpenTTD Team reports:</p>
 	<blockquote cite="http://security.openttd.org/en/CVE-2010-2534">
 	  <p>When multiple commands are queued (at the server) for execution
 	    in the next game tick and an client joins the server can get into

More information about the svn-ports-head mailing list