Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
On Linux there are binary portability problems linking to libstdc++ either statically or dynamically. It's off-topic to this thread, but: - dlopen() on a shared library that links to libstdc++ can fail if the host app or system uses an older version of libc (because of PT_TLS references) and does not link to libstdc++ (HLDS, for example). - sharing libstdc++ structures across libraries can get you into ABI trouble! we have caused some accidental crashes in Valve code. it statically embeds some version of libstdc++ from a distro's gcc-3.4. For more information I invite you to read: http://www.trilithium.com/johan/2005/06/static-libstdc/ http://pages.cs.wisc.edu/~psilord/blog/3.html So there are gotchas but they are more salient to us plugin writers than Valve itself, or people that get to distribute host apps. Regards, -- David Anderson http://www.bailopan.net/ On 8/19/09 6:34 PM, Shane Turner wrote: > Saul, > > You're mistaken. The C++ portion of the code base at my current employer > is statically linked. We've been compiling the code that way for close > to a decade. The code itself uses STL, streams, makes heavy use of > templates, etc. We build on Debian and release on RedHat/CentOS and > Solaris (albeit rarely now). > > Shane Turner > > Saul Rennison wrote: >> If you knew anything about C++ you'd understand how unportable STL is >> across various Linux distributions, and how impossible it is to >> statically link it into the code. >> >> Thanks, >> - Saul. >> >> On 18 Aug 2009, at 21:03, Stefan Popp wrote: >> >>> Thats not right ;) >>> >>> The programming language is the problem in this case. Why should i write >>> my code with functions that shouldnt be used with C++? >>> C++ works with the stdlib, which means streams. Not C stuff. So its >>> finally up to Valve to write programs which follows C++ standards not C. >>> You cant trust your users as programmer. Its up to us, to make the >>> source safe, and if the projecttime needs 2 weeks more, you should spend >>> the time. >>> >>> >>> Ronny Schedel schrieb: The problem is not the programming language, the problem is that Valve trust their game clients too much. > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: > >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the developers >> before >> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi >> in a >> few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >> wrote: >> >> >> >>> A friend forwarded me this info regarding a vulnerability. I am >>> unable >>> to >>> test this at the moment, but it does look like it is possible. >>> Thought >>> I >>> would get this out to the community before others start using >>> this to >>> cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Saul, You're mistaken. The C++ portion of the code base at my current employer is statically linked. We've been compiling the code that way for close to a decade. The code itself uses STL, streams, makes heavy use of templates, etc. We build on Debian and release on RedHat/CentOS and Solaris (albeit rarely now). Shane Turner Saul Rennison wrote: > If you knew anything about C++ you'd understand how unportable STL is > across various Linux distributions, and how impossible it is to > statically link it into the code. > > Thanks, > - Saul. > > On 18 Aug 2009, at 21:03, Stefan Popp wrote: > >> Thats not right ;) >> >> The programming language is the problem in this case. Why should i write >> my code with functions that shouldnt be used with C++? >> C++ works with the stdlib, which means streams. Not C stuff. So its >> finally up to Valve to write programs which follows C++ standards not C. >> You cant trust your users as programmer. Its up to us, to make the >> source safe, and if the projecttime needs 2 weeks more, you should spend >> the time. >> >> >> Ronny Schedel schrieb: >>> The problem is not the programming language, the problem is that >>> Valve trust >>> their game clients too much. >>> >>> >>> Well, Valve should start coding c++ with steams ;) Who works with printfs today? I hope Valve will fix the whole source to prevent overflows. C++ is you friend, not old C stuff... Best regards, Stefan Popp Claudio Beretta schrieb: > Thanks, anyone knows if a workaround is available? > > BTW: aren't "security researchers" supposed to contact the developers > before > releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi > in a > few > weeks -.- > > > On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > wrote: > > > >> A friend forwarded me this info regarding a vulnerability. I am >> unable >> to >> test this at the moment, but it does look like it is possible. >> Thought >> I >> would get this out to the community before others start using >> this to >> cause >> havoc. >> >> http://www.vupen.com/english/advisories/2009/2296 >> http://aluigi.altervista.org/adv/sourcefs-adv.txt >> >> Morgan Humes ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Finally! Something worth discussing! Bavarian beer! m... ;) I'll just add my two cents here. There is no other company that I know of that supports it's modding community as enthusiastically as Valve does, with the possible exception of Blizzard with the WoW gui modding community. Blizzard and Valve have a lot in common in that they don't abandon their wonderful old games. They are the only two gaming corporations that I know of that do this. They aren't perfect, but they deserve some respect, and the occasional thank you. Drek Stefan Popp wrote: > Maybe :) > > I guess we start to understand what each other means :) > Let us discuss next time with a litre bavarian beer and "Weißwürste". > I pay ;) > > - Back to technical topics - > > Best regards, > Stefan Popp > > Evaldas, GameConnect schrieb: > >> Hey, I didn’t start teaching VALVe employees how to code. It’s easy for you >> to say. Did anyone of you release your own game engine? Maybe two? You >> people started the flame about “Hey VALVe, drop all your HL2 sources and >> rewrite it in C++”. And believe me, your comparing isn’t fear… Releasing >> COD4 means that COD2 is dead? Then Counter-Strike should be removed from >> steam game list, :-) because we have orangeBox. So, going back to the >> ethics, VALVe is doing a great job by supporting ALL of their games. Maybe >> the support isn’t so fast and their update priority list is… strange. But >> they are supporting ALL of their products. Even the 10-year old. I think >> that employees will see this spam and react to it. Do some global engine >> patching and everything will be ok. You say that someone has contacted them. >> What do we mean by contacting? Maybe someone mailed >> cont...@valvesoftware.com about this bug and what? I bet that they get >> thousands of mails per day. It isn’t fear to say that they aware of the >> problem if they didn’t say so. >> >> Anyway, technical mailing list is not a place to flame and learn programmers >> how to code. :-) >> >> Evaldas, >> GameConnect, Lithuania >> www.gameconnect.lt >> >> >> ----- Original Message - >> From: "Stefan Popp" >> To: "Half-Life dedicated Linux server mailing list" >> >> Sent: Wednesday, August 19, 2009 1:52 AM >> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String >> Vulnerability >> >> >> >> >>> I think our discusion will never end with our argumentations. iam >>> talking about ethic, and you talk about budget and resources ;) >>> At least, if you have a problems with a program you have to apply >>> pressure on the company how made it if you want fixes. >>> Thats the point of support. And COD2 is dead. After COD4 the mainstream >>> doesnt care about COD2. At least, COD4 is just a update. >>> Why fixing Windows 2000 if Windows XP doesnt have the bug anymore and >>> the support is expired? >>> >>> Finally, the current discussion is around latest games, and not stuff >>> which is 10 years old. >>> So, stop discuss about things which doesnt apply to the mainsteam =) >>> >>> Best regards, >>> Stefan Popp >>> >>> Evaldas Žilinskas schrieb: >>> >>> >>>> I wouldn’t call COD2 a game without bugs. :) When did we see last update? >>>> Oh >>>> yes… 3 years ago. :-) And talking about Microsoft… Their support is quite >>>> interesting. You call, they tell you how to use your control panel, but >>>> when >>>> we go back to the part, when bugs and exploits must be fixed… They decide >>>> directly from air witch exploits must be fixed and witch will remain for >>>> ever to deal with. We have Windows Vista, everyone is crying, people are >>>> dying… and what? We will get new Windows product, witch will cost money. >>>> Vista will remain slow working with its bugs and other things people paid >>>> money for. Everyone has a politics to do their commercial. I don’t blame >>>> Valve… >>>> >>>> Evaldas, >>>> GameConnect, Lithuania >>>> www.gameconnect.lt >>>> >>>> - Original Message - >>>> From: "Stefan Popp" >>>> To: "Half-Life dedicated Linux server mailing list" >>>> >>>> Sent: Wednesday, August 19, 2009 12:59 AM >>>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>>>
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Maybe :) I guess we start to understand what each other means :) Let us discuss next time with a litre bavarian beer and "Weißwürste". I pay ;) - Back to technical topics - Best regards, Stefan Popp Evaldas, GameConnect schrieb: > Hey, I didn’t start teaching VALVe employees how to code. It’s easy for you > to say. Did anyone of you release your own game engine? Maybe two? You > people started the flame about “Hey VALVe, drop all your HL2 sources and > rewrite it in C++”. And believe me, your comparing isn’t fear… Releasing > COD4 means that COD2 is dead? Then Counter-Strike should be removed from > steam game list, :-) because we have orangeBox. So, going back to the > ethics, VALVe is doing a great job by supporting ALL of their games. Maybe > the support isn’t so fast and their update priority list is… strange. But > they are supporting ALL of their products. Even the 10-year old. I think > that employees will see this spam and react to it. Do some global engine > patching and everything will be ok. You say that someone has contacted them. > What do we mean by contacting? Maybe someone mailed > cont...@valvesoftware.com about this bug and what? I bet that they get > thousands of mails per day. It isn’t fear to say that they aware of the > problem if they didn’t say so. > > Anyway, technical mailing list is not a place to flame and learn programmers > how to code. :-) > > Evaldas, > GameConnect, Lithuania > www.gameconnect.lt > > > - Original Message - > From: "Stefan Popp" > To: "Half-Life dedicated Linux server mailing list" > > Sent: Wednesday, August 19, 2009 1:52 AM > Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String > Vulnerability > > > >> I think our discusion will never end with our argumentations. iam >> talking about ethic, and you talk about budget and resources ;) >> At least, if you have a problems with a program you have to apply >> pressure on the company how made it if you want fixes. >> Thats the point of support. And COD2 is dead. After COD4 the mainstream >> doesnt care about COD2. At least, COD4 is just a update. >> Why fixing Windows 2000 if Windows XP doesnt have the bug anymore and >> the support is expired? >> >> Finally, the current discussion is around latest games, and not stuff >> which is 10 years old. >> So, stop discuss about things which doesnt apply to the mainsteam =) >> >> Best regards, >> Stefan Popp >> >> Evaldas Žilinskas schrieb: >> >>> I wouldn’t call COD2 a game without bugs. :) When did we see last update? >>> Oh >>> yes… 3 years ago. :-) And talking about Microsoft… Their support is quite >>> interesting. You call, they tell you how to use your control panel, but >>> when >>> we go back to the part, when bugs and exploits must be fixed… They decide >>> directly from air witch exploits must be fixed and witch will remain for >>> ever to deal with. We have Windows Vista, everyone is crying, people are >>> dying… and what? We will get new Windows product, witch will cost money. >>> Vista will remain slow working with its bugs and other things people paid >>> money for. Everyone has a politics to do their commercial. I don’t blame >>> Valve… >>> >>> Evaldas, >>> GameConnect, Lithuania >>> www.gameconnect.lt >>> >>> - Original Message - >>> From: "Stefan Popp" >>> To: "Half-Life dedicated Linux server mailing list" >>> >>> Sent: Wednesday, August 19, 2009 12:59 AM >>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>> String >>> Vulnerability >>> >>> >>> >>> >>>> Thats true ;) >>>> >>>> Best example: SAP =D >>>> >>>> Oliver Salzburg schrieb: >>>> >>>> >>>>> Well, some people just need 10 years to get their shit right... >>>>> >>>>> Evaldas Žilinskas wrote: >>>>> >>>>> >>>>> >>>>>> Oh… Show me other company that still supports 10 year old games like >>>>>> Half-Life, by providing community integration, Russian walk prevention >>>>>> and >>>>>> exploit fixing updates? Maybe EA :-)? These things cost money and they >>>>>> are >>>>>> not responsible because of some of dumb players, trying to use found >>>>>> game >>>>>
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Hey, I didn’t start teaching VALVe employees how to code. It’s easy for you to say. Did anyone of you release your own game engine? Maybe two? You people started the flame about “Hey VALVe, drop all your HL2 sources and rewrite it in C++”. And believe me, your comparing isn’t fear… Releasing COD4 means that COD2 is dead? Then Counter-Strike should be removed from steam game list, :-) because we have orangeBox. So, going back to the ethics, VALVe is doing a great job by supporting ALL of their games. Maybe the support isn’t so fast and their update priority list is… strange. But they are supporting ALL of their products. Even the 10-year old. I think that employees will see this spam and react to it. Do some global engine patching and everything will be ok. You say that someone has contacted them. What do we mean by contacting? Maybe someone mailed cont...@valvesoftware.com about this bug and what? I bet that they get thousands of mails per day. It isn’t fear to say that they aware of the problem if they didn’t say so. Anyway, technical mailing list is not a place to flame and learn programmers how to code. :-) Evaldas, GameConnect, Lithuania www.gameconnect.lt - Original Message - From: "Stefan Popp" To: "Half-Life dedicated Linux server mailing list" Sent: Wednesday, August 19, 2009 1:52 AM Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability >I think our discusion will never end with our argumentations. iam > talking about ethic, and you talk about budget and resources ;) > At least, if you have a problems with a program you have to apply > pressure on the company how made it if you want fixes. > Thats the point of support. And COD2 is dead. After COD4 the mainstream > doesnt care about COD2. At least, COD4 is just a update. > Why fixing Windows 2000 if Windows XP doesnt have the bug anymore and > the support is expired? > > Finally, the current discussion is around latest games, and not stuff > which is 10 years old. > So, stop discuss about things which doesnt apply to the mainsteam =) > > Best regards, > Stefan Popp > > Evaldas Žilinskas schrieb: >> I wouldn’t call COD2 a game without bugs. :) When did we see last update? >> Oh >> yes… 3 years ago. :-) And talking about Microsoft… Their support is quite >> interesting. You call, they tell you how to use your control panel, but >> when >> we go back to the part, when bugs and exploits must be fixed… They decide >> directly from air witch exploits must be fixed and witch will remain for >> ever to deal with. We have Windows Vista, everyone is crying, people are >> dying… and what? We will get new Windows product, witch will cost money. >> Vista will remain slow working with its bugs and other things people paid >> money for. Everyone has a politics to do their commercial. I don’t blame >> Valve… >> >> Evaldas, >> GameConnect, Lithuania >> www.gameconnect.lt >> >> - Original Message - >> From: "Stefan Popp" >> To: "Half-Life dedicated Linux server mailing list" >> >> Sent: Wednesday, August 19, 2009 12:59 AM >> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >> String >> Vulnerability >> >> >> >>> Thats true ;) >>> >>> Best example: SAP =D >>> >>> Oliver Salzburg schrieb: >>> >>>> Well, some people just need 10 years to get their shit right... >>>> >>>> Evaldas Žilinskas wrote: >>>> >>>> >>>>> Oh… Show me other company that still supports 10 year old games like >>>>> Half-Life, by providing community integration, Russian walk prevention >>>>> and >>>>> exploit fixing updates? Maybe EA :-)? These things cost money and they >>>>> are >>>>> not responsible because of some of dumb players, trying to use found >>>>> game >>>>> exploits as a cheat or as a way to hack something. They do their best >>>>> and I’m >>>>> sure about that. More customers you have, more exploits and bugs will >>>>> be >>>>> found. And… making a dialogue with everyone – it’s impossible. I own a >>>>> company with only a few thousand customers and even then it’s hard to >>>>> maintain everyone. How many customers VALVe has? >>>>> >>>>> players, >>>>> server admins, >>>>> source engine owners, >>>>> third party mod developers, >>>>> cybercafé owners, >>>>> content resellers, >>>>> steam
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
I think our discusion will never end with our argumentations. iam talking about ethic, and you talk about budget and resources ;) At least, if you have a problems with a program you have to apply pressure on the company how made it if you want fixes. Thats the point of support. And COD2 is dead. After COD4 the mainstream doesnt care about COD2. At least, COD4 is just a update. Why fixing Windows 2000 if Windows XP doesnt have the bug anymore and the support is expired? Finally, the current discussion is around latest games, and not stuff which is 10 years old. So, stop discuss about things which doesnt apply to the mainsteam =) Best regards, Stefan Popp Evaldas Žilinskas schrieb: > I wouldn’t call COD2 a game without bugs. :) When did we see last update? Oh > yes… 3 years ago. :-) And talking about Microsoft… Their support is quite > interesting. You call, they tell you how to use your control panel, but when > we go back to the part, when bugs and exploits must be fixed… They decide > directly from air witch exploits must be fixed and witch will remain for > ever to deal with. We have Windows Vista, everyone is crying, people are > dying… and what? We will get new Windows product, witch will cost money. > Vista will remain slow working with its bugs and other things people paid > money for. Everyone has a politics to do their commercial. I don’t blame > Valve… > > Evaldas, > GameConnect, Lithuania > www.gameconnect.lt > > - Original Message - > From: "Stefan Popp" > To: "Half-Life dedicated Linux server mailing list" > > Sent: Wednesday, August 19, 2009 12:59 AM > Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String > Vulnerability > > > >> Thats true ;) >> >> Best example: SAP =D >> >> Oliver Salzburg schrieb: >> >>> Well, some people just need 10 years to get their shit right... >>> >>> Evaldas Žilinskas wrote: >>> >>> >>>> Oh… Show me other company that still supports 10 year old games like >>>> Half-Life, by providing community integration, Russian walk prevention >>>> and >>>> exploit fixing updates? Maybe EA :-)? These things cost money and they >>>> are >>>> not responsible because of some of dumb players, trying to use found >>>> game >>>> exploits as a cheat or as a way to hack something. They do their best >>>> and I’m >>>> sure about that. More customers you have, more exploits and bugs will be >>>> found. And… making a dialogue with everyone – it’s impossible. I own a >>>> company with only a few thousand customers and even then it’s hard to >>>> maintain everyone. How many customers VALVe has? >>>> >>>> players, >>>> server admins, >>>> source engine owners, >>>> third party mod developers, >>>> cybercafé owners, >>>> content resellers, >>>> steam store sellers… >>>> >>>> Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! >>>> >>>> >>>> Evaldas, >>>> GameConnect, Lithuania >>>> www.gameconnect.lt >>>> >>>> >>>> - Original Message - >>>> From: "Stefan Popp" >>>> To: "Half-Life dedicated Linux server mailing list" >>>> >>>> Sent: Tuesday, August 18, 2009 10:37 PM >>>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>>> String >>>> Vulnerability >>>> >>>> >>>> >>>> >>>> >>>>> Wheres the point? >>>>> >>>>> Its their product, and they have to support the product. If i code any >>>>> application and i wait 4 weeks (or more :P) until i fix anything for my >>>>> customers, i can go directly to die. >>>>> I never said valve didnt support their products, but the point is, how >>>>> they do that. And the royal way of support is fast fixing of bugs, and >>>>> if providing sdk's, updating the materials around. And currently i >>>>> think >>>>> Valve makes bad support. Maybe, they kicked some programmers or >>>>> somethin? But as customer i didnt care about their resources, i only >>>>> care about theire reaction times if i got problems ;) or? >>>>> >>>>> Saint K. schrieb: >>>>> >>>>> >>>>> >>&g
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
I wouldn’t call COD2 a game without bugs. :) When did we see last update? Oh yes… 3 years ago. :-) And talking about Microsoft… Their support is quite interesting. You call, they tell you how to use your control panel, but when we go back to the part, when bugs and exploits must be fixed… They decide directly from air witch exploits must be fixed and witch will remain for ever to deal with. We have Windows Vista, everyone is crying, people are dying… and what? We will get new Windows product, witch will cost money. Vista will remain slow working with its bugs and other things people paid money for. Everyone has a politics to do their commercial. I don’t blame Valve… Evaldas, GameConnect, Lithuania www.gameconnect.lt - Original Message - From: "Stefan Popp" To: "Half-Life dedicated Linux server mailing list" Sent: Wednesday, August 19, 2009 12:59 AM Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability > Thats true ;) > > Best example: SAP =D > > Oliver Salzburg schrieb: >> Well, some people just need 10 years to get their shit right... >> >> Evaldas Žilinskas wrote: >> >>> Oh… Show me other company that still supports 10 year old games like >>> Half-Life, by providing community integration, Russian walk prevention >>> and >>> exploit fixing updates? Maybe EA :-)? These things cost money and they >>> are >>> not responsible because of some of dumb players, trying to use found >>> game >>> exploits as a cheat or as a way to hack something. They do their best >>> and I’m >>> sure about that. More customers you have, more exploits and bugs will be >>> found. And… making a dialogue with everyone – it’s impossible. I own a >>> company with only a few thousand customers and even then it’s hard to >>> maintain everyone. How many customers VALVe has? >>> >>> players, >>> server admins, >>> source engine owners, >>> third party mod developers, >>> cybercafé owners, >>> content resellers, >>> steam store sellers… >>> >>> Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! >>> >>> >>> Evaldas, >>> GameConnect, Lithuania >>> www.gameconnect.lt >>> >>> >>> - Original Message - >>> From: "Stefan Popp" >>> To: "Half-Life dedicated Linux server mailing list" >>> >>> Sent: Tuesday, August 18, 2009 10:37 PM >>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>> String >>> Vulnerability >>> >>> >>> >>> >>>> Wheres the point? >>>> >>>> Its their product, and they have to support the product. If i code any >>>> application and i wait 4 weeks (or more :P) until i fix anything for my >>>> customers, i can go directly to die. >>>> I never said valve didnt support their products, but the point is, how >>>> they do that. And the royal way of support is fast fixing of bugs, and >>>> if providing sdk's, updating the materials around. And currently i >>>> think >>>> Valve makes bad support. Maybe, they kicked some programmers or >>>> somethin? But as customer i didnt care about their resources, i only >>>> care about theire reaction times if i got problems ;) or? >>>> >>>> Saint K. schrieb: >>>> >>>> >>>>> Imo VALVe is still the only one who cares and interacts so much with >>>>> their community. Yes they have their flaws, and they can be ugly at >>>>> times, but hey, what other dev mails you straight away when you report >>>>> a >>>>> bug to resolve it? So far this only happends to me with VALVe. From >>>>> other >>>>> devs u should thank god on your knees to ever get any response at all. >>>>> >>>>> The games are worth their money, and the suport on their games is >>>>> insanely long. >>>>> >>>>> VALVe still has and will continue to have my support. >>>>> >>>>> Saint K. >>>>> -Original Message- >>>>> From: hlds_linux-boun...@list.valvesoftware.com >>>>> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan >>>>> Popp >>>>> Sent: dinsdag 18 augustus 2009 20:51 >>>>> To: Half-Life dedicated Linux server mailing list >>>>> Subject: Re: [hld
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Thats true ;) Best example: SAP =D Oliver Salzburg schrieb: > Well, some people just need 10 years to get their shit right... > > Evaldas Žilinskas wrote: > >> Oh… Show me other company that still supports 10 year old games like >> Half-Life, by providing community integration, Russian walk prevention and >> exploit fixing updates? Maybe EA :-)? These things cost money and they are >> not responsible because of some of dumb players, trying to use found game >> exploits as a cheat or as a way to hack something. They do their best and >> I’m >> sure about that. More customers you have, more exploits and bugs will be >> found. And… making a dialogue with everyone – it’s impossible. I own a >> company with only a few thousand customers and even then it’s hard to >> maintain everyone. How many customers VALVe has? >> >> players, >> server admins, >> source engine owners, >> third party mod developers, >> cybercafé owners, >> content resellers, >> steam store sellers… >> >> Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! >> >> >> Evaldas, >> GameConnect, Lithuania >> www.gameconnect.lt >> >> >> - Original Message ----- >> From: "Stefan Popp" >> To: "Half-Life dedicated Linux server mailing list" >> >> Sent: Tuesday, August 18, 2009 10:37 PM >> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String >> Vulnerability >> >> >> >> >>> Wheres the point? >>> >>> Its their product, and they have to support the product. If i code any >>> application and i wait 4 weeks (or more :P) until i fix anything for my >>> customers, i can go directly to die. >>> I never said valve didnt support their products, but the point is, how >>> they do that. And the royal way of support is fast fixing of bugs, and >>> if providing sdk's, updating the materials around. And currently i think >>> Valve makes bad support. Maybe, they kicked some programmers or >>> somethin? But as customer i didnt care about their resources, i only >>> care about theire reaction times if i got problems ;) or? >>> >>> Saint K. schrieb: >>> >>> >>>> Imo VALVe is still the only one who cares and interacts so much with >>>> their community. Yes they have their flaws, and they can be ugly at >>>> times, but hey, what other dev mails you straight away when you report a >>>> bug to resolve it? So far this only happends to me with VALVe. From other >>>> devs u should thank god on your knees to ever get any response at all. >>>> >>>> The games are worth their money, and the suport on their games is >>>> insanely long. >>>> >>>> VALVe still has and will continue to have my support. >>>> >>>> Saint K. >>>> -Original Message- >>>> From: hlds_linux-boun...@list.valvesoftware.com >>>> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan >>>> Popp >>>> Sent: dinsdag 18 augustus 2009 20:51 >>>> To: Half-Life dedicated Linux server mailing list >>>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>>> String Vulnerability >>>> >>>> The wish is currently present ;) >>>> >>>> Due a lot of stuff valve didnt managed the right way ;) >>>> 1. bad code and many ways to crash servers from client side >>>> 2. changing engine stuff without telling plugin developer about changes >>>> or any new sdk's >>>> 3. no statements about this and a lot of other points ;) >>>> >>>> there are a lot of reasons why i wish to get my money back, but i still >>>> hope that valve goes back to their roots and care about theire community >>>> ;) >>>> >>>> Best regards, >>>> Stefan Popp >>>> >>>> Adam Nowacki schrieb: >>>> >>>> >>>> >>>>> You'd wish you never bought any Valve games the day this happens. >>>>> >>>>> Stefan Popp wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Sorry, but this must be corrected ;) >>>>>> >>>>>> -"Valve should start coding c++ with steams ;)" >>>>>> +"Va
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Well, some people just need 10 years to get their shit right... Evaldas Žilinskas wrote: > Oh… Show me other company that still supports 10 year old games like > Half-Life, by providing community integration, Russian walk prevention and > exploit fixing updates? Maybe EA :-)? These things cost money and they are > not responsible because of some of dumb players, trying to use found game > exploits as a cheat or as a way to hack something. They do their best and I’m > sure about that. More customers you have, more exploits and bugs will be > found. And… making a dialogue with everyone – it’s impossible. I own a > company with only a few thousand customers and even then it’s hard to > maintain everyone. How many customers VALVe has? > > players, > server admins, > source engine owners, > third party mod developers, > cybercafé owners, > content resellers, > steam store sellers… > > Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! > > > Evaldas, > GameConnect, Lithuania > www.gameconnect.lt > > > - Original Message - > From: "Stefan Popp" > To: "Half-Life dedicated Linux server mailing list" > > Sent: Tuesday, August 18, 2009 10:37 PM > Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String > Vulnerability > > > >> Wheres the point? >> >> Its their product, and they have to support the product. If i code any >> application and i wait 4 weeks (or more :P) until i fix anything for my >> customers, i can go directly to die. >> I never said valve didnt support their products, but the point is, how >> they do that. And the royal way of support is fast fixing of bugs, and >> if providing sdk's, updating the materials around. And currently i think >> Valve makes bad support. Maybe, they kicked some programmers or >> somethin? But as customer i didnt care about their resources, i only >> care about theire reaction times if i got problems ;) or? >> >> Saint K. schrieb: >> >>> Imo VALVe is still the only one who cares and interacts so much with >>> their community. Yes they have their flaws, and they can be ugly at >>> times, but hey, what other dev mails you straight away when you report a >>> bug to resolve it? So far this only happends to me with VALVe. From other >>> devs u should thank god on your knees to ever get any response at all. >>> >>> The games are worth their money, and the suport on their games is >>> insanely long. >>> >>> VALVe still has and will continue to have my support. >>> >>> Saint K. >>> -Original Message----- >>> From: hlds_linux-boun...@list.valvesoftware.com >>> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan >>> Popp >>> Sent: dinsdag 18 augustus 2009 20:51 >>> To: Half-Life dedicated Linux server mailing list >>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>> String Vulnerability >>> >>> The wish is currently present ;) >>> >>> Due a lot of stuff valve didnt managed the right way ;) >>> 1. bad code and many ways to crash servers from client side >>> 2. changing engine stuff without telling plugin developer about changes >>> or any new sdk's >>> 3. no statements about this and a lot of other points ;) >>> >>> there are a lot of reasons why i wish to get my money back, but i still >>> hope that valve goes back to their roots and care about theire community >>> ;) >>> >>> Best regards, >>> Stefan Popp >>> >>> Adam Nowacki schrieb: >>> >>> >>>> You'd wish you never bought any Valve games the day this happens. >>>> >>>> Stefan Popp wrote: >>>> >>>> >>>> >>>>> Sorry, but this must be corrected ;) >>>>> >>>>> -"Valve should start coding c++ with steams ;)" >>>>> +"Valve should start coding c++ with streams ;)" >>>>> >>>>> Best regards, >>>>> Stefan Popp >>>>> >>>>> Stefan Popp schrieb: >>>>> >>>>> >>>>> >>>>>> Well, >>>>>> >>>>>> Valve should start coding c++ with steams ;) >>>>>> Who works with printfs today? >>>>>> >>>>>> I hope Valve will fix the whole source to prevent overflows. >>
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
If you have problems distributing a C++ application that is build against standardized parts of C++, then you must be doing something wrong, my friend. If you have so many linkage problems, try linking statically. If you already have problems on a source level, the preprocessor is your friend. And I also notice that some people on this thread seem to confuse the STL and the C++ runtime a lot. That is quite confusing. If the portability of the STL is actually the problem you could always use STLPort. I would assume that a program written in C might be more portable than if it was written in C++. But it is of course a tradeoff. Cause above mentioned streams will take a lot off your hands, for the price of possibly consuming more resources. But you also don't have to care about buffer sizes. And nobody is stopping you from using printf in a C++ program anyway. So this really is not so much about C vs C++ than it is about programming practices. One way or another. If you have allocated 1024 bytes for a buffer, don't write 1025... Saul Rennison wrote: > I never said there was an issue compiling it. You will find that other > systems use different library versions for STL, surprisingly, and > cause linkage issues. I know this as I've tried distributing C++ > Windows / Linux apps which use STL and it's a headache. I'm only > talking from first hand experiance. > > With Windows as I'm sure you'll know, STL is held in msvc8.dll (can't > remember the exact name) or maybe in CRT, I'm unsure, but that DLL is > distributed with your application and everyone uses the same binary. > In Windows, that is. In Linux it's a whole different story. > > Thanks, > - Saul. > > On 18 Aug 2009, at 22:23, Stefan Popp wrote: > > >> Sry, are you serious? I mean, are you serious? >> STL = Standard template library >> >> You are serious we are talking 100% that? >> If you really mean its not portable, you should buy a book about C++. >> >> For myself i prefer "Bjarne Stroustrup's C++" >> STL is a part of C++. Every C++ compiler should understand it, because >> STL is a standard part of C++ since 1993! >> Which compiler did you use, that makes so many problems to port you're >> application to other linux dist. or other operating systems? >> >> Best regards, >> Stefan Popp >> >> >> Saul Rennison schrieb >> >>> If you knew anything about C++ you'd understand how unportable STL is >>> across various Linux distributions, and how impossible it is to >>> statically link it into the code. >>> >>> Thanks, >>> - Saul. >>> >>> On 18 Aug 2009, at 21:03, Stefan Popp wrote: >>> >>> >>> Thats not right ;) The programming language is the problem in this case. Why should i write my code with functions that shouldnt be used with C++? C++ works with the stdlib, which means streams. Not C stuff. So its finally up to Valve to write programs which follows C++ standards not C. You cant trust your users as programmer. Its up to us, to make the source safe, and if the projecttime needs 2 weeks more, you should spend the time. Ronny Schedel schrieb: > The problem is not the programming language, the problem is that > Valve trust > their game clients too much. > > > > > >> Well, >> >> Valve should start coding c++ with steams ;) >> Who works with printfs today? >> >> I hope Valve will fix the whole source to prevent overflows. >> C++ is you friend, not old C stuff... >> >> Best regards, >> Stefan Popp >> >> >> Claudio Beretta schrieb: >> >> >> >>> Thanks, anyone knows if a workaround is available? >>> >>> BTW: aren't "security researchers" supposed to contact the >>> developers >>> before >>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi >>> in a >>> few >>> weeks -.- >>> >>> >>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >> >>> wrote: >>> >>> >>> >>> >>> A friend forwarded me this info regarding a vulnerability. I am unable to test this at the moment, but it does look like it is possible. Thought I would get this out to the community before others start using this to cause havoc. http://www.vupen.com/english/advisories/2009/2296 http://aluigi.altervista.org/adv/sourcefs-adv.txt Morgan Humes ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your li
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Company == Support Its non-sense how many users you have. Look at Mircrosoft or anyone else. Small, medium, big... makes no sense for the costumer. If i make a product, i have to support it. If the "EULA" doesnt contain anything about support expiration, i call the support all time i need it. If i have to pay for support, why not? I have no problems to give some dollars to a company for helping me ;) But i hate if anyone saying "uuhh, support cost so much :x". If you hasnt the resource to support your own project, leave it ;) And yeah, i know a lot of companys which supports their products for over 10 years, without any question. Thats what we call "quality management <http://www.dict.cc/englisch-deutsch/quality+management.html>" in germany. Not the price is relevant for me, its the ethic behind a product. How i ship a product, how i support and how i take care about my customers ;) I pay hundreds of euros per year for support of my IDE licenses and stuff around my IDE, server managment etc. And i will still pay the next 3 centurys for it if the support is good! Best regards, Stefan Popp Evaldas Žilinskas schrieb: > Oh… Show me other company that still supports 10 year old games like > Half-Life, by providing community integration, Russian walk prevention and > exploit fixing updates? Maybe EA :-)? These things cost money and they are > not responsible because of some of dumb players, trying to use found game > exploits as a cheat or as a way to hack something. They do their best and I’m > sure about that. More customers you have, more exploits and bugs will be > found. And… making a dialogue with everyone – it’s impossible. I own a > company with only a few thousand customers and even then it’s hard to > maintain everyone. How many customers VALVe has? > > players, > server admins, > source engine owners, > third party mod developers, > cybercafé owners, > content resellers, > steam store sellers… > > Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! > > > Evaldas, > GameConnect, Lithuania > www.gameconnect.lt > > > - Original Message - > From: "Stefan Popp" > To: "Half-Life dedicated Linux server mailing list" > > Sent: Tuesday, August 18, 2009 10:37 PM > Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String > Vulnerability > > > >> Wheres the point? >> >> Its their product, and they have to support the product. If i code any >> application and i wait 4 weeks (or more :P) until i fix anything for my >> customers, i can go directly to die. >> I never said valve didnt support their products, but the point is, how >> they do that. And the royal way of support is fast fixing of bugs, and >> if providing sdk's, updating the materials around. And currently i think >> Valve makes bad support. Maybe, they kicked some programmers or >> somethin? But as customer i didnt care about their resources, i only >> care about theire reaction times if i got problems ;) or? >> >> Saint K. schrieb: >> >>> Imo VALVe is still the only one who cares and interacts so much with >>> their community. Yes they have their flaws, and they can be ugly at >>> times, but hey, what other dev mails you straight away when you report a >>> bug to resolve it? So far this only happends to me with VALVe. From other >>> devs u should thank god on your knees to ever get any response at all. >>> >>> The games are worth their money, and the suport on their games is >>> insanely long. >>> >>> VALVe still has and will continue to have my support. >>> >>> Saint K. >>> -Original Message- >>> From: hlds_linux-boun...@list.valvesoftware.com >>> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan >>> Popp >>> Sent: dinsdag 18 augustus 2009 20:51 >>> To: Half-Life dedicated Linux server mailing list >>> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >>> String Vulnerability >>> >>> The wish is currently present ;) >>> >>> Due a lot of stuff valve didnt managed the right way ;) >>> 1. bad code and many ways to crash servers from client side >>> 2. changing engine stuff without telling plugin developer about changes >>> or any new sdk's >>> 3. no statements about this and a lot of other points ;) >>> >>> there are a lot of reasons why i wish to get my money back, but i still >>> hope that valve goes back to their roots and care about theire community >>> ;) >>> >>>
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Oh… Show me other company that still supports 10 year old games like Half-Life, by providing community integration, Russian walk prevention and exploit fixing updates? Maybe EA :-)? These things cost money and they are not responsible because of some of dumb players, trying to use found game exploits as a cheat or as a way to hack something. They do their best and I’m sure about that. More customers you have, more exploits and bugs will be found. And… making a dialogue with everyone – it’s impossible. I own a company with only a few thousand customers and even then it’s hard to maintain everyone. How many customers VALVe has? players, server admins, source engine owners, third party mod developers, cybercafé owners, content resellers, steam store sellers… Hey Alfred, I’ve found a bug, answer me! Believe me – NOT so easy! Evaldas, GameConnect, Lithuania www.gameconnect.lt - Original Message - From: "Stefan Popp" To: "Half-Life dedicated Linux server mailing list" Sent: Tuesday, August 18, 2009 10:37 PM Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability > Wheres the point? > > Its their product, and they have to support the product. If i code any > application and i wait 4 weeks (or more :P) until i fix anything for my > customers, i can go directly to die. > I never said valve didnt support their products, but the point is, how > they do that. And the royal way of support is fast fixing of bugs, and > if providing sdk's, updating the materials around. And currently i think > Valve makes bad support. Maybe, they kicked some programmers or > somethin? But as customer i didnt care about their resources, i only > care about theire reaction times if i got problems ;) or? > > Saint K. schrieb: >> Imo VALVe is still the only one who cares and interacts so much with >> their community. Yes they have their flaws, and they can be ugly at >> times, but hey, what other dev mails you straight away when you report a >> bug to resolve it? So far this only happends to me with VALVe. From other >> devs u should thank god on your knees to ever get any response at all. >> >> The games are worth their money, and the suport on their games is >> insanely long. >> >> VALVe still has and will continue to have my support. >> >> Saint K. >> -Original Message- >> From: hlds_linux-boun...@list.valvesoftware.com >> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan >> Popp >> Sent: dinsdag 18 augustus 2009 20:51 >> To: Half-Life dedicated Linux server mailing list >> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format >> String Vulnerability >> >> The wish is currently present ;) >> >> Due a lot of stuff valve didnt managed the right way ;) >> 1. bad code and many ways to crash servers from client side >> 2. changing engine stuff without telling plugin developer about changes >> or any new sdk's >> 3. no statements about this and a lot of other points ;) >> >> there are a lot of reasons why i wish to get my money back, but i still >> hope that valve goes back to their roots and care about theire community >> ;) >> >> Best regards, >> Stefan Popp >> >> Adam Nowacki schrieb: >> >>> You'd wish you never bought any Valve games the day this happens. >>> >>> Stefan Popp wrote: >>> >>> >>>> Sorry, but this must be corrected ;) >>>> >>>> -"Valve should start coding c++ with steams ;)" >>>> +"Valve should start coding c++ with streams ;)" >>>> >>>> Best regards, >>>> Stefan Popp >>>> >>>> Stefan Popp schrieb: >>>> >>>> >>>>> Well, >>>>> >>>>> Valve should start coding c++ with steams ;) >>>>> Who works with printfs today? >>>>> >>>>> I hope Valve will fix the whole source to prevent overflows. >>>>> C++ is you friend, not old C stuff... >>>>> >>>>> Best regards, >>>>> Stefan Popp >>>>> >>>>> >>>>> Claudio Beretta schrieb: >>>>> >>>>> >>>>> >>>>>> Thanks, anyone knows if a workaround is available? >>>>>> >>>>>> BTW: aren't "security researchers" supposed to contact the developers >>>>>> before >>>>>> releasing 0-day exploits?This is the 2nd 0-day exp
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Well, sometimes i got some problems with librarys, but with some tweaks my stuff works to 95% on every linux machine. I dont know how you code and compile static stuff, but my/our programs works fine for over 35k customers ;) Best regards, Stefan Popp Saul Rennison schrieb: > Using STL in open-source projects is fine as the system can compile > binaries which link into their libraries. With closed source however, > you are distributing binaries which link with libraries on YOUR > machine, which may not be the same on others. > > Thanks, > - Saul. > > On 18 Aug 2009, at 22:23, Stefan Popp wrote: > > >> Sry, are you serious? I mean, are you serious? >> STL = Standard template library >> >> You are serious we are talking 100% that? >> If you really mean its not portable, you should buy a book about C++. >> >> For myself i prefer "Bjarne Stroustrup's C++" >> STL is a part of C++. Every C++ compiler should understand it, because >> STL is a standard part of C++ since 1993! >> Which compiler did you use, that makes so many problems to port you're >> application to other linux dist. or other operating systems? >> >> Best regards, >> Stefan Popp >> >> >> Saul Rennison schrieb >> >>> If you knew anything about C++ you'd understand how unportable STL is >>> across various Linux distributions, and how impossible it is to >>> statically link it into the code. >>> >>> Thanks, >>> - Saul. >>> >>> On 18 Aug 2009, at 21:03, Stefan Popp wrote: >>> >>> >>> Thats not right ;) The programming language is the problem in this case. Why should i write my code with functions that shouldnt be used with C++? C++ works with the stdlib, which means streams. Not C stuff. So its finally up to Valve to write programs which follows C++ standards not C. You cant trust your users as programmer. Its up to us, to make the source safe, and if the projecttime needs 2 weeks more, you should spend the time. Ronny Schedel schrieb: > The problem is not the programming language, the problem is that > Valve trust > their game clients too much. > > > > > >> Well, >> >> Valve should start coding c++ with steams ;) >> Who works with printfs today? >> >> I hope Valve will fix the whole source to prevent overflows. >> C++ is you friend, not old C stuff... >> >> Best regards, >> Stefan Popp >> >> >> Claudio Beretta schrieb: >> >> >> >>> Thanks, anyone knows if a workaround is available? >>> >>> BTW: aren't "security researchers" supposed to contact the >>> developers >>> before >>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi >>> in a >>> few >>> weeks -.- >>> >>> >>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >> >>> wrote: >>> >>> >>> >>> >>> A friend forwarded me this info regarding a vulnerability. I am unable to test this at the moment, but it does look like it is possible. Thought I would get this out to the community before others start using this to cause havoc. http://www.vupen.com/english/advisories/2009/2296 http://aluigi.altervista.org/adv/sourcefs-adv.txt Morgan Humes ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> >> > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_l
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Using STL in open-source projects is fine as the system can compile binaries which link into their libraries. With closed source however, you are distributing binaries which link with libraries on YOUR machine, which may not be the same on others. Thanks, - Saul. On 18 Aug 2009, at 22:23, Stefan Popp wrote: > Sry, are you serious? I mean, are you serious? > STL = Standard template library > > You are serious we are talking 100% that? > If you really mean its not portable, you should buy a book about C++. > > For myself i prefer "Bjarne Stroustrup's C++" > STL is a part of C++. Every C++ compiler should understand it, because > STL is a standard part of C++ since 1993! > Which compiler did you use, that makes so many problems to port you're > application to other linux dist. or other operating systems? > > Best regards, > Stefan Popp > > > Saul Rennison schrieb >> If you knew anything about C++ you'd understand how unportable STL is >> across various Linux distributions, and how impossible it is to >> statically link it into the code. >> >> Thanks, >> - Saul. >> >> On 18 Aug 2009, at 21:03, Stefan Popp wrote: >> >> >>> Thats not right ;) >>> >>> The programming language is the problem in this case. Why should i >>> write >>> my code with functions that shouldnt be used with C++? >>> C++ works with the stdlib, which means streams. Not C stuff. So its >>> finally up to Valve to write programs which follows C++ standards >>> not C. >>> You cant trust your users as programmer. Its up to us, to make the >>> source safe, and if the projecttime needs 2 weeks more, you should >>> spend >>> the time. >>> >>> >>> Ronny Schedel schrieb: >>> The problem is not the programming language, the problem is that Valve trust their game clients too much. > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: > > >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the >> developers >> before >> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi >> in a >> few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > >> wrote: >> >> >> >> >>> A friend forwarded me this info regarding a vulnerability. I am >>> unable >>> to >>> test this at the moment, but it does look like it is possible. >>> Thought >>> I >>> would get this out to the community before others start using >>> this to >>> cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> > ___ > To unsubscribe, edit your list preferences, or view the list > archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
I never said there was an issue compiling it. You will find that other systems use different library versions for STL, surprisingly, and cause linkage issues. I know this as I've tried distributing C++ Windows / Linux apps which use STL and it's a headache. I'm only talking from first hand experiance. With Windows as I'm sure you'll know, STL is held in msvc8.dll (can't remember the exact name) or maybe in CRT, I'm unsure, but that DLL is distributed with your application and everyone uses the same binary. In Windows, that is. In Linux it's a whole different story. Thanks, - Saul. On 18 Aug 2009, at 22:23, Stefan Popp wrote: > Sry, are you serious? I mean, are you serious? > STL = Standard template library > > You are serious we are talking 100% that? > If you really mean its not portable, you should buy a book about C++. > > For myself i prefer "Bjarne Stroustrup's C++" > STL is a part of C++. Every C++ compiler should understand it, because > STL is a standard part of C++ since 1993! > Which compiler did you use, that makes so many problems to port you're > application to other linux dist. or other operating systems? > > Best regards, > Stefan Popp > > > Saul Rennison schrieb >> If you knew anything about C++ you'd understand how unportable STL is >> across various Linux distributions, and how impossible it is to >> statically link it into the code. >> >> Thanks, >> - Saul. >> >> On 18 Aug 2009, at 21:03, Stefan Popp wrote: >> >> >>> Thats not right ;) >>> >>> The programming language is the problem in this case. Why should i >>> write >>> my code with functions that shouldnt be used with C++? >>> C++ works with the stdlib, which means streams. Not C stuff. So its >>> finally up to Valve to write programs which follows C++ standards >>> not C. >>> You cant trust your users as programmer. Its up to us, to make the >>> source safe, and if the projecttime needs 2 weeks more, you should >>> spend >>> the time. >>> >>> >>> Ronny Schedel schrieb: >>> The problem is not the programming language, the problem is that Valve trust their game clients too much. > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: > > >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the >> developers >> before >> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi >> in a >> few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > >> wrote: >> >> >> >> >>> A friend forwarded me this info regarding a vulnerability. I am >>> unable >>> to >>> test this at the moment, but it does look like it is possible. >>> Thought >>> I >>> would get this out to the community before others start using >>> this to >>> cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> > ___ > To unsubscribe, edit your list preferences, or view the list > archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list pref
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
While trivial for someone who knows what they are doing to edit the
code, rebuild and most likely bypass this, the following iptables rule
will drop the exploit as provided for me (tested on a hl2 deathmatch
and cstrike:source server)
# log it
iptables -A INPUT -p udp --dport 27015 -m string --hex-string
"|dc4adc4adc4adc4adc4a|" --algo bm -j LOG --log-level info --log-prefix
"Valve Disconnect DoS :: "
# drop it
iptables -A INPUT -p udp --dport 27015 -m string
--hex-string "|dc4adc4adc4adc4adc4a|" --algo bm -j DROP
If you've got someone being cute and DoS'ing your machine over and over
with the same packets you can use this approach to block it pretty
easily.
If the above isn't working and you suspect the packets are not the
default from the provided website/exploit info, you can find the packet
that matches by starting the server, then running strace against it
until it crashes, then tailing the output file (4225 being an example
pid here)
strace -f -v -s 5000 -o server.strace.txt -xx -p 4225
Once the server crashes, strace should exit (ctrl+C out otherwise) and
look at the last few lines before the segfault:
tail server.strace.txt
You should see something like the following:
649 gettimeofday({1250624185, 558633}, NULL) = 0
649 recvfrom(4,
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\xc8\x59\x80\x52\x31\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xe5\x06\x37\x36\x07\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\xc6\x16\x46\x57\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x07\x10\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\xf7\x25\x17\x46\x97\xf6\x06\x20\x03\x30\xc6\xf6\x45\x57\x16\xd6\x06\x40\x56\x66\x16\x56\xc7\x46\x07\x30\xc6\xf6\x35\xc6\x16\x36\x37\x07\x40\x56\x66\x16\x56\xc7\x46\x07\x50\xe6\x76\xc6\x96\x36\x87\x06\x10\x03\x30\xc6\xf6\x05\x27\x57\x46\x96\x36\x46\x77\x57\x16\x06\xf7\xe6\x36\x07\x10\x03\x30\xc6\xf6\xc5\x16\x76\x36\xf6\xd6\x06\x57\xe6\x36\x17\x46\x97\xf6\xe6\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x76\x57\x06\x37\x77\x97\x46\x37\x86\x06\x10\x03\x30\xc6\xf6\x15\x56\x47\xf7\x86\x56\xc6\x06\x07\x10\x03\x30\xc6\xf6\x35\x07\x57\x36\xf6\xd5\xf6\x46\x56\x06\x50\x03\x60\xf7\x96\x36\x56\xf6\xc5\xf6\xf6\x06\x27\x16\x36\xb6\x06\x00\x03\x30\xc6\xf6\x95\xe6\x46\x57\x26\x07\x07\x00\xe3\x02\x23\x03\x30\xc6\xf6\x36\x57\x36\x16\x06\x47\x97\xf6\xe6\x06\x00\x03\x30\xc6\xf6\xc5\x16\xe6\x76\x56\x17\x76\x56\x06\x50\xe6\x76\xc6\x96\x36\x87\x06\x40\x67\xf7\xe5\xf6\x36\x86\x16\x46\x07\x00\x03\x30\xc6\xf6\x55\x07\x47\x16\x46\x57\x26\x17\x46\x57\x06\x10\x03\x03\x03\x30\xc6\xf6\x35\xd6\x46\x26\x17\x46\x57\x06\x10\x03\x03\x03\x20\x17\x46\x57\x06\x20\x03\x03\x03\x03\x03\xe0\x16\xd6\x56\x06\x50\xe7\xe6\x16\xd6\x56\x46\x06\x10\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xe6\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x4a\xdc\x00\x00",
96016, 0, {sa_family=AF_INET, sin_port=htons(4966),
sin_addr=inet_addr("12.34.56.78")}, [16]) = 372
649 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
661 +++ killed by SIGSEGV +++
I just chose a little bit from the end of the received bad to match
after verifying it was always the same data.
Hopefully this is fixed soon though since it should be a super easy fix
and this sort of hackery is far from optimal.
~Darren
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Sry, are you serious? I mean, are you serious? STL = Standard template library You are serious we are talking 100% that? If you really mean its not portable, you should buy a book about C++. For myself i prefer "Bjarne Stroustrup's C++" STL is a part of C++. Every C++ compiler should understand it, because STL is a standard part of C++ since 1993! Which compiler did you use, that makes so many problems to port you're application to other linux dist. or other operating systems? Best regards, Stefan Popp Saul Rennison schrieb > If you knew anything about C++ you'd understand how unportable STL is > across various Linux distributions, and how impossible it is to > statically link it into the code. > > Thanks, > - Saul. > > On 18 Aug 2009, at 21:03, Stefan Popp wrote: > > >> Thats not right ;) >> >> The programming language is the problem in this case. Why should i >> write >> my code with functions that shouldnt be used with C++? >> C++ works with the stdlib, which means streams. Not C stuff. So its >> finally up to Valve to write programs which follows C++ standards >> not C. >> You cant trust your users as programmer. Its up to us, to make the >> source safe, and if the projecttime needs 2 weeks more, you should >> spend >> the time. >> >> >> Ronny Schedel schrieb: >> >>> The problem is not the programming language, the problem is that >>> Valve trust >>> their game clients too much. >>> >>> >>> >>> Well, Valve should start coding c++ with steams ;) Who works with printfs today? I hope Valve will fix the whole source to prevent overflows. C++ is you friend, not old C stuff... Best regards, Stefan Popp Claudio Beretta schrieb: > Thanks, anyone knows if a workaround is available? > > BTW: aren't "security researchers" supposed to contact the > developers > before > releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi > in a > few > weeks -.- > > > On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > wrote: > > > > >> A friend forwarded me this info regarding a vulnerability. I am >> unable >> to >> test this at the moment, but it does look like it is possible. >> Thought >> I >> would get this out to the community before others start using >> this to >> cause >> havoc. >> >> http://www.vupen.com/english/advisories/2009/2296 >> http://aluigi.altervista.org/adv/sourcefs-adv.txt >> >> Morgan Humes >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> >> > ___ > To unsubscribe, edit your list preferences, or view the list > archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Didn't they use ASM (at least in the Source Engine leak, but that's very outdated, not to mentioned possibly illegal) for the Sound Engine and parts of mathlib? Thanks, - Saul. On 18 Aug 2009, at 21:53, Gary Stanley wrote: > At 03:36 PM 8/18/2009, Ronny Schedel wrote: > >> It's not forbidden to mix diffent programming languages, I am sure >> they also >> use Assembler codes. The problem can also occur in C++, because >> they trust >> the client that it sends a valid string, but it can send anything. > > > They only use assembly code to in startup to get the CPU MHZ via 2 > calls to rdtsc. > > > > >>> Thats not right ;) >>> >>> The programming language is the problem in this case. Why should i >>> write >>> my code with functions that shouldnt be used with C++? >>> C++ works with the stdlib, which means streams. Not C stuff. So its >>> finally up to Valve to write programs which follows C++ standards >>> not C. >>> You cant trust your users as programmer. Its up to us, to make the >>> source safe, and if the projecttime needs 2 weeks more, you should >>> spend >>> the time. >>> >>> >>> Ronny Schedel schrieb: The problem is not the programming language, the problem is that Valve trust their game clients too much. > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: > >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the >> developers >> before >> releasing 0-day exploits?This is the 2nd 0-day exploy from >> aluigi in a >> few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > > >> wrote: >> >> >> >>> A friend forwarded me this info regarding a vulnerability. I am >>> unable >>> to >>> test this at the moment, but it does look like it is possible. >>> Thought >>> I >>> would get this out to the community before others start using >>> this to >>> cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > ___ > To unsubscribe, edit your list preferences, or view the list > archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Ronny Schedel wrote: > The problem is not the programming language, the problem is that Valve trust > their game clients too much. Glad you haven't seen any code from Korean MMORPGs ;) marcel ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
If you knew anything about C++ you'd understand how unportable STL is across various Linux distributions, and how impossible it is to statically link it into the code. Thanks, - Saul. On 18 Aug 2009, at 21:03, Stefan Popp wrote: > Thats not right ;) > > The programming language is the problem in this case. Why should i > write > my code with functions that shouldnt be used with C++? > C++ works with the stdlib, which means streams. Not C stuff. So its > finally up to Valve to write programs which follows C++ standards > not C. > You cant trust your users as programmer. Its up to us, to make the > source safe, and if the projecttime needs 2 weeks more, you should > spend > the time. > > > Ronny Schedel schrieb: >> The problem is not the programming language, the problem is that >> Valve trust >> their game clients too much. >> >> >> >>> Well, >>> >>> Valve should start coding c++ with steams ;) >>> Who works with printfs today? >>> >>> I hope Valve will fix the whole source to prevent overflows. >>> C++ is you friend, not old C stuff... >>> >>> Best regards, >>> Stefan Popp >>> >>> >>> Claudio Beretta schrieb: >>> Thanks, anyone knows if a workaround is available? BTW: aren't "security researchers" supposed to contact the developers before releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few weeks -.- On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >>> > wrote: > A friend forwarded me this info regarding a vulnerability. I am > unable > to > test this at the moment, but it does look like it is possible. > Thought > I > would get this out to the community before others start using > this to > cause > havoc. > > http://www.vupen.com/english/advisories/2009/2296 > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > Morgan Humes > ___ > To unsubscribe, edit your list preferences, or view the list > archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list >>> archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
At 03:36 PM 8/18/2009, Ronny Schedel wrote: >It's not forbidden to mix diffent programming languages, I am sure they also >use Assembler codes. The problem can also occur in C++, because they trust >the client that it sends a valid string, but it can send anything. They only use assembly code to in startup to get the CPU MHZ via 2 calls to rdtsc. > > Thats not right ;) > > > > The programming language is the problem in this case. Why should i write > > my code with functions that shouldnt be used with C++? > > C++ works with the stdlib, which means streams. Not C stuff. So its > > finally up to Valve to write programs which follows C++ standards not C. > > You cant trust your users as programmer. Its up to us, to make the > > source safe, and if the projecttime needs 2 weeks more, you should spend > > the time. > > > > > > Ronny Schedel schrieb: > >> The problem is not the programming language, the problem is that Valve > >> trust > >> their game clients too much. > >> > >> > >> > >>> Well, > >>> > >>> Valve should start coding c++ with steams ;) > >>> Who works with printfs today? > >>> > >>> I hope Valve will fix the whole source to prevent overflows. > >>> C++ is you friend, not old C stuff... > >>> > >>> Best regards, > >>> Stefan Popp > >>> > >>> > >>> Claudio Beretta schrieb: > >>> > Thanks, anyone knows if a workaround is available? > > BTW: aren't "security researchers" supposed to contact the developers > before > releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a > few > weeks -.- > > > On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > wrote: > > > > > A friend forwarded me this info regarding a vulnerability. I am > > unable > > to > > test this at the moment, but it does look like it is possible. > > Thought > > I > > would get this out to the community before others start using this to > > cause > > havoc. > > > > http://www.vupen.com/english/advisories/2009/2296 > > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > > > Morgan Humes > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > >>> ___ > >>> To unsubscribe, edit your list preferences, or view the list archives, > >>> please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > >>> > >>> > >> > >> > >> ___ > >> To unsubscribe, edit your list preferences, or view the list archives, > >> please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > >> > > > > > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > >___ >To unsubscribe, edit your list preferences, or view the list >archives, please visit: >http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
At 03:36 PM 8/18/2009, Ronny Schedel wrote: >It's not forbidden to mix diffent programming languages, I am sure they also >use Assembler codes. The problem can also occur in C++, because they trust >the client that it sends a valid string, but it can send anything. They only use assembly code to in startup to get the CPU MHZ via 2 calls to rdtsc. > > Thats not right ;) > > > > The programming language is the problem in this case. Why should i write > > my code with functions that shouldnt be used with C++? > > C++ works with the stdlib, which means streams. Not C stuff. So its > > finally up to Valve to write programs which follows C++ standards not C. > > You cant trust your users as programmer. Its up to us, to make the > > source safe, and if the projecttime needs 2 weeks more, you should spend > > the time. > > > > > > Ronny Schedel schrieb: > >> The problem is not the programming language, the problem is that Valve > >> trust > >> their game clients too much. > >> > >> > >> > >>> Well, > >>> > >>> Valve should start coding c++ with steams ;) > >>> Who works with printfs today? > >>> > >>> I hope Valve will fix the whole source to prevent overflows. > >>> C++ is you friend, not old C stuff... > >>> > >>> Best regards, > >>> Stefan Popp > >>> > >>> > >>> Claudio Beretta schrieb: > >>> > Thanks, anyone knows if a workaround is available? > > BTW: aren't "security researchers" supposed to contact the developers > before > releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a > few > weeks -.- > > > On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes > wrote: > > > > > A friend forwarded me this info regarding a vulnerability. I am > > unable > > to > > test this at the moment, but it does look like it is possible. > > Thought > > I > > would get this out to the community before others start using this to > > cause > > havoc. > > > > http://www.vupen.com/english/advisories/2009/2296 > > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > > > Morgan Humes > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > >>> ___ > >>> To unsubscribe, edit your list preferences, or view the list archives, > >>> please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > >>> > >>> > >> > >> > >> ___ > >> To unsubscribe, edit your list preferences, or view the list archives, > >> please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > >> > > > > > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > >___ >To unsubscribe, edit your list preferences, or view the list >archives, please visit: >http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Wheres the point? Its their product, and they have to support the product. If i code any application and i wait 4 weeks (or more :P) until i fix anything for my customers, i can go directly to die. I never said valve didnt support their products, but the point is, how they do that. And the royal way of support is fast fixing of bugs, and if providing sdk's, updating the materials around. And currently i think Valve makes bad support. Maybe, they kicked some programmers or somethin? But as customer i didnt care about their resources, i only care about theire reaction times if i got problems ;) or? Saint K. schrieb: > Imo VALVe is still the only one who cares and interacts so much with their > community. Yes they have their flaws, and they can be ugly at times, but hey, > what other dev mails you straight away when you report a bug to resolve it? > So far this only happends to me with VALVe. From other devs u should thank > god on your knees to ever get any response at all. > > The games are worth their money, and the suport on their games is insanely > long. > > VALVe still has and will continue to have my support. > > Saint K. > -Original Message- > From: hlds_linux-boun...@list.valvesoftware.com > [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan Popp > Sent: dinsdag 18 augustus 2009 20:51 > To: Half-Life dedicated Linux server mailing list > Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String > Vulnerability > > The wish is currently present ;) > > Due a lot of stuff valve didnt managed the right way ;) > 1. bad code and many ways to crash servers from client side > 2. changing engine stuff without telling plugin developer about changes > or any new sdk's > 3. no statements about this and a lot of other points ;) > > there are a lot of reasons why i wish to get my money back, but i still > hope that valve goes back to their roots and care about theire community ;) > > Best regards, > Stefan Popp > > Adam Nowacki schrieb: > >> You'd wish you never bought any Valve games the day this happens. >> >> Stefan Popp wrote: >> >> >>> Sorry, but this must be corrected ;) >>> >>> -"Valve should start coding c++ with steams ;)" >>> +"Valve should start coding c++ with streams ;)" >>> >>> Best regards, >>> Stefan Popp >>> >>> Stefan Popp schrieb: >>> >>> >>>> Well, >>>> >>>> Valve should start coding c++ with steams ;) >>>> Who works with printfs today? >>>> >>>> I hope Valve will fix the whole source to prevent overflows. >>>> C++ is you friend, not old C stuff... >>>> >>>> Best regards, >>>> Stefan Popp >>>> >>>> >>>> Claudio Beretta schrieb: >>>> >>>> >>>> >>>>> Thanks, anyone knows if a workaround is available? >>>>> >>>>> BTW: aren't "security researchers" supposed to contact the developers >>>>> before >>>>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few >>>>> weeks -.- >>>>> >>>>> >>>>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> A friend forwarded me this info regarding a vulnerability. I am unable >>>>>> to >>>>>> test this at the moment, but it does look like it is possible. Thought I >>>>>> would get this out to the community before others start using this to >>>>>> cause >>>>>> havoc. >>>>>> >>>>>> http://www.vupen.com/english/advisories/2009/2296 >>>>>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>>>>> >>>>>> Morgan Humes >>>>>> ___ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> ___ >>>>> To unsubscribe, edit your list
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
It's not forbidden to mix diffent programming languages, I am sure they also use Assembler codes. The problem can also occur in C++, because they trust the client that it sends a valid string, but it can send anything. > Thats not right ;) > > The programming language is the problem in this case. Why should i write > my code with functions that shouldnt be used with C++? > C++ works with the stdlib, which means streams. Not C stuff. So its > finally up to Valve to write programs which follows C++ standards not C. > You cant trust your users as programmer. Its up to us, to make the > source safe, and if the projecttime needs 2 weeks more, you should spend > the time. > > > Ronny Schedel schrieb: >> The problem is not the programming language, the problem is that Valve >> trust >> their game clients too much. >> >> >> >>> Well, >>> >>> Valve should start coding c++ with steams ;) >>> Who works with printfs today? >>> >>> I hope Valve will fix the whole source to prevent overflows. >>> C++ is you friend, not old C stuff... >>> >>> Best regards, >>> Stefan Popp >>> >>> >>> Claudio Beretta schrieb: >>> Thanks, anyone knows if a workaround is available? BTW: aren't "security researchers" supposed to contact the developers before releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few weeks -.- On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: > A friend forwarded me this info regarding a vulnerability. I am > unable > to > test this at the moment, but it does look like it is possible. > Thought > I > would get this out to the community before others start using this to > cause > havoc. > > http://www.vupen.com/english/advisories/2009/2296 > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > Morgan Humes > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
This 'C stuff' is actually part of the C++ standard library. Also using streams here would be like trying to eat spaghetti with a single stick ... some will do it, others stick to the fork. Stefan Popp wrote: > Thats not right ;) > > The programming language is the problem in this case. Why should i write > my code with functions that shouldnt be used with C++? > C++ works with the stdlib, which means streams. Not C stuff. So its > finally up to Valve to write programs which follows C++ standards not C. > You cant trust your users as programmer. Its up to us, to make the > source safe, and if the projecttime needs 2 weeks more, you should spend > the time. > > > Ronny Schedel schrieb: >> The problem is not the programming language, the problem is that Valve trust >> their game clients too much. >> >> >> >>> Well, >>> >>> Valve should start coding c++ with steams ;) >>> Who works with printfs today? >>> >>> I hope Valve will fix the whole source to prevent overflows. >>> C++ is you friend, not old C stuff... >>> >>> Best regards, >>> Stefan Popp >>> >>> >>> Claudio Beretta schrieb: >>> Thanks, anyone knows if a workaround is available? BTW: aren't "security researchers" supposed to contact the developers before releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few weeks -.- On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: > A friend forwarded me this info regarding a vulnerability. I am unable > to > test this at the moment, but it does look like it is possible. Thought > I > would get this out to the community before others start using this to > cause > havoc. > > http://www.vupen.com/english/advisories/2009/2296 > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > Morgan Humes > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Imo VALVe is still the only one who cares and interacts so much with their community. Yes they have their flaws, and they can be ugly at times, but hey, what other dev mails you straight away when you report a bug to resolve it? So far this only happends to me with VALVe. From other devs u should thank god on your knees to ever get any response at all. The games are worth their money, and the suport on their games is insanely long. VALVe still has and will continue to have my support. Saint K. -Original Message- From: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan Popp Sent: dinsdag 18 augustus 2009 20:51 To: Half-Life dedicated Linux server mailing list Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability The wish is currently present ;) Due a lot of stuff valve didnt managed the right way ;) 1. bad code and many ways to crash servers from client side 2. changing engine stuff without telling plugin developer about changes or any new sdk's 3. no statements about this and a lot of other points ;) there are a lot of reasons why i wish to get my money back, but i still hope that valve goes back to their roots and care about theire community ;) Best regards, Stefan Popp Adam Nowacki schrieb: > You'd wish you never bought any Valve games the day this happens. > > Stefan Popp wrote: > >> Sorry, but this must be corrected ;) >> >> -"Valve should start coding c++ with steams ;)" >> +"Valve should start coding c++ with streams ;)" >> >> Best regards, >> Stefan Popp >> >> Stefan Popp schrieb: >> >>> Well, >>> >>> Valve should start coding c++ with steams ;) >>> Who works with printfs today? >>> >>> I hope Valve will fix the whole source to prevent overflows. >>> C++ is you friend, not old C stuff... >>> >>> Best regards, >>> Stefan Popp >>> >>> >>> Claudio Beretta schrieb: >>> >>> >>>> Thanks, anyone knows if a workaround is available? >>>> >>>> BTW: aren't "security researchers" supposed to contact the developers >>>> before >>>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few >>>> weeks -.- >>>> >>>> >>>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >>>> wrote: >>>> >>>> >>>> >>>> >>>>> A friend forwarded me this info regarding a vulnerability. I am unable to >>>>> test this at the moment, but it does look like it is possible. Thought I >>>>> would get this out to the community before others start using this to >>>>> cause >>>>> havoc. >>>>> >>>>> http://www.vupen.com/english/advisories/2009/2296 >>>>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>>>> >>>>> Morgan Humes >>>>> ___ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>>> >>>>> >>>>> >>>>> >>>> ___ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>> >>>> >>>> >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.58/2309 - Release Date: 08/18/09 06:03:00 ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format, String Vulnerability
Yes, typically the company is contacted before exploits are released... In Valve's case though, they are so unwilling to fix anything the exploits end up being released without a fix. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Thats not right ;) The programming language is the problem in this case. Why should i write my code with functions that shouldnt be used with C++? C++ works with the stdlib, which means streams. Not C stuff. So its finally up to Valve to write programs which follows C++ standards not C. You cant trust your users as programmer. Its up to us, to make the source safe, and if the projecttime needs 2 weeks more, you should spend the time. Ronny Schedel schrieb: > The problem is not the programming language, the problem is that Valve trust > their game clients too much. > > > >> Well, >> >> Valve should start coding c++ with steams ;) >> Who works with printfs today? >> >> I hope Valve will fix the whole source to prevent overflows. >> C++ is you friend, not old C stuff... >> >> Best regards, >> Stefan Popp >> >> >> Claudio Beretta schrieb: >> >>> Thanks, anyone knows if a workaround is available? >>> >>> BTW: aren't "security researchers" supposed to contact the developers >>> before >>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a >>> few >>> weeks -.- >>> >>> >>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >>> wrote: >>> >>> >>> A friend forwarded me this info regarding a vulnerability. I am unable to test this at the moment, but it does look like it is possible. Thought I would get this out to the community before others start using this to cause havoc. http://www.vupen.com/english/advisories/2009/2296 http://aluigi.altervista.org/adv/sourcefs-adv.txt Morgan Humes ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
The wish is currently present ;) Due a lot of stuff valve didnt managed the right way ;) 1. bad code and many ways to crash servers from client side 2. changing engine stuff without telling plugin developer about changes or any new sdk's 3. no statements about this and a lot of other points ;) there are a lot of reasons why i wish to get my money back, but i still hope that valve goes back to their roots and care about theire community ;) Best regards, Stefan Popp Adam Nowacki schrieb: > You'd wish you never bought any Valve games the day this happens. > > Stefan Popp wrote: > >> Sorry, but this must be corrected ;) >> >> -"Valve should start coding c++ with steams ;)" >> +"Valve should start coding c++ with streams ;)" >> >> Best regards, >> Stefan Popp >> >> Stefan Popp schrieb: >> >>> Well, >>> >>> Valve should start coding c++ with steams ;) >>> Who works with printfs today? >>> >>> I hope Valve will fix the whole source to prevent overflows. >>> C++ is you friend, not old C stuff... >>> >>> Best regards, >>> Stefan Popp >>> >>> >>> Claudio Beretta schrieb: >>> >>> Thanks, anyone knows if a workaround is available? BTW: aren't "security researchers" supposed to contact the developers before releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few weeks -.- On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: > A friend forwarded me this info regarding a vulnerability. I am unable to > test this at the moment, but it does look like it is possible. Thought I > would get this out to the community before others start using this to > cause > havoc. > > http://www.vupen.com/english/advisories/2009/2296 > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > Morgan Humes > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
The problem is not the programming language, the problem is that Valve trust their game clients too much. > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the developers >> before >> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a >> few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes >> wrote: >> >> >>> A friend forwarded me this info regarding a vulnerability. I am unable >>> to >>> test this at the moment, but it does look like it is possible. Thought >>> I >>> would get this out to the community before others start using this to >>> cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
You'd wish you never bought any Valve games the day this happens. Stefan Popp wrote: > Sorry, but this must be corrected ;) > > -"Valve should start coding c++ with steams ;)" > +"Valve should start coding c++ with streams ;)" > > Best regards, > Stefan Popp > > Stefan Popp schrieb: >> Well, >> >> Valve should start coding c++ with steams ;) >> Who works with printfs today? >> >> I hope Valve will fix the whole source to prevent overflows. >> C++ is you friend, not old C stuff... >> >> Best regards, >> Stefan Popp >> >> >> Claudio Beretta schrieb: >> >>> Thanks, anyone knows if a workaround is available? >>> >>> BTW: aren't "security researchers" supposed to contact the developers before >>> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few >>> weeks -.- >>> >>> >>> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: >>> >>> >>> A friend forwarded me this info regarding a vulnerability. I am unable to test this at the moment, but it does look like it is possible. Thought I would get this out to the community before others start using this to cause havoc. http://www.vupen.com/english/advisories/2009/2296 http://aluigi.altervista.org/adv/sourcefs-adv.txt Morgan Humes ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Sorry, but this must be corrected ;) -"Valve should start coding c++ with steams ;)" +"Valve should start coding c++ with streams ;)" Best regards, Stefan Popp Stefan Popp schrieb: > Well, > > Valve should start coding c++ with steams ;) > Who works with printfs today? > > I hope Valve will fix the whole source to prevent overflows. > C++ is you friend, not old C stuff... > > Best regards, > Stefan Popp > > > Claudio Beretta schrieb: > >> Thanks, anyone knows if a workaround is available? >> >> BTW: aren't "security researchers" supposed to contact the developers before >> releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few >> weeks -.- >> >> >> On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: >> >> >> >>> A friend forwarded me this info regarding a vulnerability. I am unable to >>> test this at the moment, but it does look like it is possible. Thought I >>> would get this out to the community before others start using this to cause >>> havoc. >>> >>> http://www.vupen.com/english/advisories/2009/2296 >>> http://aluigi.altervista.org/adv/sourcefs-adv.txt >>> >>> Morgan Humes >>> ___ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format, String Vulnerability
Backtrace for this crash looks like: #0 0xb7e9c463 in strlen () from /lib/tls/i686/cmov/libc.so.6 #1 0xb7e70164 in vfprintf () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7e8df81 in vsnprintf () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7de2690 in V_vsnprintf () from bin/vstdlib_i486.so #4 0xb72a389b in CGameClient::Disconnect () from bin/engine_i686.so #5 0xb7261fe3 in CNetChan::ProcessControlMessage () from bin/engine_i686.so #6 0xb7264177 in CNetChan::ProcessMessages () from bin/engine_i686.so #7 0xb7264437 in CNetChan::CheckReceivingList () from bin/engine_i686.so #8 0xb72658ae in CNetChan::ProcessPacket () from bin/engine_i686.so #9 0xb726e9c0 in NET_ProcessSocket () from bin/engine_i686.so #10 0xb71cbed2 in CBaseServer::RunFrame () from bin/engine_i686.so #11 0xb72b9dec in SV_Frame () from bin/engine_i686.so #12 0xb723851d in _Host_RunFrame_Server () from bin/engine_i686.so #13 0xb7238d50 in _Host_RunFrame () from bin/engine_i686.so #14 0xb7239412 in Host_RunFrame () from bin/engine_i686.so #15 0xb724351c in CHostState::State_Run () from bin/engine_i686.so #16 0xb72437c1 in CHostState::FrameUpdate () from bin/engine_i686.so #17 0xb7243947 in HostState_Frame () from bin/engine_i686.so #18 0xb72d8d54 in CEngine::Frame () from bin/engine_i686.so #19 0xb72d6b6e in CDedicatedServerAPI::RunFrame () from bin/engine_i686.so #20 0xb7d5e0fd in RunServer () from bin/dedicated_i686.so #21 0xb72d654e in CModAppSystemGroup::Main () from bin/engine_i686.so #22 0xb73ddcc3 in CAppSystemGroup::Run () from bin/engine_i686.so #23 0xb72d779f in CDedicatedServerAPI::ModInit () from bin/engine_i686.so #24 0xb7d5e34a in CDedicatedAppSystemGroup::Main () from bin/dedicated_i686.so #25 0xb7d95713 in CAppSystemGroup::Run () from bin/dedicated_i686.so #26 0xb7d95713 in CAppSystemGroup::Run () from bin/dedicated_i686.so #27 0xb7d5e758 in main () from bin/dedicated_i686.so #28 0x0804909e in main () ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format, String Vulnerability
Yep, I just found that page a bit earlier today. Despite the fact that it's a serious crash, I have no hope that valve will ever fix it (Just like the 13 other exploits they haven't done shit about) ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Well, Valve should start coding c++ with steams ;) Who works with printfs today? I hope Valve will fix the whole source to prevent overflows. C++ is you friend, not old C stuff... Best regards, Stefan Popp Claudio Beretta schrieb: > Thanks, anyone knows if a workaround is available? > > BTW: aren't "security researchers" supposed to contact the developers before > releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few > weeks -.- > > > On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: > > >> A friend forwarded me this info regarding a vulnerability. I am unable to >> test this at the moment, but it does look like it is possible. Thought I >> would get this out to the community before others start using this to cause >> havoc. >> >> http://www.vupen.com/english/advisories/2009/2296 >> http://aluigi.altervista.org/adv/sourcefs-adv.txt >> >> Morgan Humes >> ___ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > ___ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Valve Source Engine Console Message Format String Vulnerability
Thanks, anyone knows if a workaround is available? BTW: aren't "security researchers" supposed to contact the developers before releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few weeks -.- On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote: > A friend forwarded me this info regarding a vulnerability. I am unable to > test this at the moment, but it does look like it is possible. Thought I > would get this out to the community before others start using this to cause > havoc. > > http://www.vupen.com/english/advisories/2009/2296 > http://aluigi.altervista.org/adv/sourcefs-adv.txt > > Morgan Humes > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
