CRITICAL BUG FOUND, PLEASE UPGRADE YOUR SERVERS

Amanieu · June 07, 2008, 03:28:50 PM

A very serious bug has been found, which affects every single Tremulous server. I will not disclose any information about how to reproduce it. If you do know, please do not tell people about it, it will only make this situation worse.

For server owners:
Check to see if a newer version of the qvm you are using is available. Notify the authors if that has not been done yet.

For qvm makers:
Apply the following patch to your code and release a new version of your qvm immediately.
http://code.google.com/p/p-g-qvm/issues/detail?id=111
Thanks to Rezyn for the patch!

David · June 07, 2008, 04:25:11 PM

If your QVM doesn't have an update, use laks, its fixed and released.

/dev/humancontroller · June 07, 2008, 04:28:48 PM

Now let's go crash some servers! xD

Divmax · June 07, 2008, 04:33:07 PM

1.1.0 vanilla servers are safe, although they already have a lot of bugs.

QVM Status:
PGQVM - Updated and has released an official version.
Amanieu's QVM - Updated and has released an official version.
Lakitu7's QVM - Updated and has released an official version.
TremWars QVM - Updated in the SVN and on the server.
Equilibrium QVM - Updated and has released an official version.
Tremulous SVN - Updated and fixed from r1090 onwards.

Red denotes that it isn't fixed.
Green denotes it is fixed.

Links to fixed QVMs(You might be required to compile)
Just Download :
Lakitu7's Latest QVM
PGQVM
Required to compile:
Amanieu's QVM(Fixed in SVN)
TremWars QVM(Fixed in SVN)

Quote from: /dev/humancontroller on June 07, 2008, 04:28:48 PM
Now let's go crash some servers! xD

Seriously, don't.

Amanieu · June 07, 2008, 04:49:09 PM

Tremulous svn is also affected btw. I already submitted a bug report.

Paradox · June 07, 2008, 06:02:31 PM

PGQVM updated. Download now featured

Divmax · June 07, 2008, 06:33:25 PM

People using Lakitu's QVM and TremWars QVM, please update because a new exploit is found.

Amanieu · June 07, 2008, 06:33:57 PM

Lakitu7's qvm 5.21 still has the bug in another form. Must upgrade to 5.22.

Lakitu7 · June 07, 2008, 07:11:06 PM

5.22 posted. Everyone did rather jump the gun in assuming that the 5.21 I released last night was this bug rather than the bug it actually was. Oh well.

Amanieu needs to not release bugs so publically next time so things are not so frantic. The actual exploit was on public irc before anyone had fixes. That's no good.

Also Trem SVN needs someone to commit this.

Rocinante · June 07, 2008, 07:19:10 PM

And someone was running around to other servers crashing them intentionally...

blood2.0 · June 07, 2008, 07:44:52 PM

i am confused what is the bug?!

Rocinante · June 07, 2008, 08:17:59 PM

It causes servers to crash. That's already more than should be "in the wild" about this, but since the cat was already let out of the bag that's as much as will be discussed in public :>

ziplocpeople · June 07, 2008, 08:36:14 PM

This bug seems to be a very big pain. I can only hope that all the trem servers will update IMMEDIATELY. This bug has allready caused enough trouble, and I don't want to see any more crashes because of it.

+ OPTIMUS + · June 07, 2008, 09:15:26 PM

!!!GRIN!!!

what was this? :-) attack of the killer bees? sounded like if a bug would've set a granger free from the game :-D

zaborack · June 07, 2008, 11:13:06 PM

The 'Unlimited BP' server will hopefully be up and running again soon, with a new QVM.
Thank you for your help.

AirJordan · June 08, 2008, 12:52:54 AM

doesnt work for me.....not for Mac OSX

Lakitu7 · June 08, 2008, 01:08:03 AM

Quote from: AirJordan on June 08, 2008, 12:52:54 AM
doesnt work for me.....not for Mac OSX

This has absolutely nothing to do with what version of anything you are running. It affects QVM files, which are platform independent. If you are not running a public Tremulous server which runs a game.qvm other than the one that comes with it, this does not affect you. If you are only a player with a client, this does not affect you.

If you do run a server and are trying to apply this patch to qvm files that you compile yourself, this patch will not change whether or not it compiles. If you already have a working build environment, it will work. If not, it will not.

Le Compilateur · June 08, 2008, 04:44:20 AM

Equilibrium QVM 2.5 released. Contains bugfix patch. Note: previous versions do not contain the patch and as such are still susceptible to this bug.

wireddd · June 08, 2008, 10:10:04 PM

All of the Knights of Reason servers are patched, including the tremx server. If you are running a custom qvm I made and need help, or a new one, let me know via a pm here or on my forums, and I will help you out.

Paradox · June 09, 2008, 06:20:03 PM

I saw a person attempting to crash servers yesterday.
One of my admins wrote down his IP.

If you want it, ill pm you

Le Compilateur · June 09, 2008, 08:23:16 PM

I'd like it please. I don't want this jerk coming on my server(s).

Vociferous · June 10, 2008, 01:52:28 PM

Takhis.net was updated a few days ago, was the first thing i did when i heard of a exploit in the wild.

slux_ITA · June 12, 2008, 01:19:11 PM

MxB private server fixed with the last paradox QVM.
Prolinux server will be fixed soon!

Thanks to all!

tuple · June 12, 2008, 04:21:52 PM

FWIW, I wouldn't announce servers that haven't been or will be patched. You'll just atract the party crashers.

Le Compilateur · June 12, 2008, 08:32:22 PM

You mean the server crashers...

blood2.0 · June 12, 2008, 08:37:29 PM

ok at least what is the error message and how do i pach

TinMan · June 12, 2008, 08:59:34 PM

Quote from: Amanieu on June 07, 2008, 03:28:50 PM
I will not disclose any information about how to reproduce it. If you do know, please do not tell people about it, it will only make this situation worse.

LOL SECURITY THROUGH OBSCURITY! Too bad this game is OpenSource. When you find a bug you tell everybody, then it gets fixed.
This was useful for buffer overflows mid-scrim

David · June 13, 2008, 12:56:43 PM

Quote from: TinMan on June 12, 2008, 08:59:34 PMLOL SECURITY THROUGH OBSCURITY!

LOL CAN'T READ!
Please learn about the concept of "Security by Obscurity" so you can understand what it is your talking about.

TinMan · June 13, 2008, 08:54:58 PM

Um, David, re-read that, let it sink in, and then you'll understand. The first post in this thread is about not telling others about the problem but just having QVM developers apply the path to their new releases. That would fall under a method of "security through obscurity" if he doesn't want others looking into the issue or knowing about it.

What should happen is "Hey guys, there's a buffer overflow problem that some kiddies have been exploiting, don't be ignorant of it, go to this bug page, read into how it happens and make sure you get a new QVM with it patched, inform your server's admins about it, and spread the word to other server admins, especially the new ones."

(Mr. Comma is my biah)

David · June 13, 2008, 11:36:48 PM

Nobody is trying to 'hide' anything.
Not screaming it from the roof tops != security through obscurity.
Its just good common sense.
Security through obscurity would be not telling anyone how the pure check works, or not giving out the source code.
What's happening here is called full disclosure, and if in keeping with the de facto standard way would be a lot lighter on detail.

Tremulous Forum

News:

CRITICAL BUG FOUND, PLEASE UPGRADE YOUR SERVERS

Amanieu

David

/dev/humancontroller

Divmax

Amanieu

Paradox

Divmax

Amanieu

Lakitu7

Rocinante

blood2.0

Rocinante

ziplocpeople

+ OPTIMUS +

zaborack

AirJordan

Lakitu7

Le Compilateur

wireddd

Paradox

Le Compilateur

Vociferous

slux_ITA

tuple

Le Compilateur

blood2.0

TinMan

David

TinMan

David