0.2.8.3.2 released! (Plus, security issues.)

Help test release candidates for the next release
Post Reply
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

0.2.8.3.2 released! (Plus, security issues.)

Post by Z-Man »

Yay!

Changes relative to 0.2.8.3.1 are three security fixes:
The most important vulnerability let modified clients send servers into infinite loops by exploiting a bug in handling the very, very old cycle turn command protocol. This was fixed in bzr on May, 14th (revision 1274 on our 0.2.8 and revision 729 on sty+ct). It's already been actively exploited, mostly not to harm the server, but to show how 1337 the attacker is.

The second vulnerability allowed anyone with enough access rights to execute "/admin include" to gain owner rights on a server and take it over. This was fixed today, revision 1327 on 0.2.8 and 751 on sty+ct. A workaround is to just restrict access to "/admin include". At least "/vote include" isn't affected. The fix for this is the only change since 0.2.8.3.2_rc1, and yeah, I skipped rc2 because it's a pretty safe, but important, fix.

The third problem are bugs in handling too large and/or forged network packages; they may result in reads from unallocated memory and thus server crashes (in theory. It was never observed, but with a bit of patience and trial and error, a "ping of death" taking down specific builds can probably be constructed). This one also affects clients. The fix for that was merged to sty+ct on July the 28th (revision 743) and to our 0.2.8 on July the 22nd (revision 1292).

Also, the source has been adapted to compile and run with gcc 4.6; previous versions would only compile with -fpermissive and authentication requests would get stuck in infinite loops in background threads.

On top of those fixes, a couple of minor bugs were eliminated: spelling fixes, for the most part.

You can get it in the usual places: Sourceforge, Launchpad or our PPA. Only the old common builds are available on Sourceforge: Windows installer (.exe), source tarballs (.tar.gz and .tar.bz2), Mac Disk Images (.dmg) and Linux autopackage installers (.package) and debian packages (.deb). They're all also available on launchpad. Because they're a bit experimental, we only have the Portable Linux Apps for client and server on Launchpad (just download, mark executable and execute) and raw binary tarballs (.bin.tar.bz2) and zips which are used by Zero Install which I can only recommend, but you can also just unpack them anywhere and run the game from there. And, of course, the PPA contains .debs for various Ubuntu releases.

A word on the PPA. I mistakenly uploaded a trunk build as a regular, non-rebranded armagetronad package last week. I deleted them now, but the way apt works means that if you updated and upgraded your system while the packages were online and you got them, you're stuck with them and they won't auto-upgrade to 0.2.8.2 as that would be a downgrade. Sorry. The way around that is to reinstall them: 'sudo apt-get remove armagetronad armagetronad-dedicated armagetronad-common' should do the trick.

Upgrading your server is strongly recommended. bzr/svn users of all branches should also update their servers now, the fixes have been propagated to all relevant branches and should make it into tomorrow's weekly snapshot builds.

Clients should be upgraded, too. Don't think your firewall will protect you from unwanted data packets from malicious sources, all it takes is a server listed on the master list and it'll open the doors for it.

I noticed half a handful of servers are still on 0.2.8.2.X. The access escalation bug doesn't affect them, but the other two do. Give word if you haven't upgraded to 0.2.8.3 for a specific reason and want a backport.
syllabear
Shutout Match Winner
Posts: 1030
Joined: Fri Oct 13, 2006 1:37 pm
Location: UK/HK

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by syllabear »

thanks :) Good to know you're still hard at work on this
The Halley's comet of Armagetron.
ps I'm not tokoyami
User avatar
Phytotron
Formerly Oscilloscope
Posts: 5041
Joined: Thu Jun 09, 2005 10:06 pm
Location: A site or situation, especially considered in regard to its surroundings.
Contact:

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by Phytotron »

Er, what's with all the .asc files on Sourceforge?
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by Z-Man »

They're gpg signatures for the big files. The public part of the key is on launchpad, as are instructions how to check them. It's one of those things you can do to authenticate downloads come from the one you think they come from.
(Did I mention Zero Install does checks of this kind automatically on the html metadata and the downloads? It does.)

Yeah, they're a bit messy and confusing. Sorry, First upload to SF in ages and they changed their system a bit since the last one. I'll move them into a subfolder tomorrow.
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by Z-Man »

Patch file with just the security fixes:
http://launchpad.net/armagetronad/0.2.8 ... rity.patch

The same, backported to 0.2.8.2 (the vardir problem doesn't affect that):
http://launchpad.net/armagetronad/0.2.8 ... rity.patch

And build 0.2.8.2.2 with the backport and compilation fixes for gcc 4.4 applied:
https://launchpad.net/armagetronad/0.2.8/0.2.8.2.2
Just sources and autopackage, that was hard enough to do.
ve4jhj
Posts: 5
Joined: Wed Feb 17, 2010 12:53 am

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by ve4jhj »

Armagetron Advanced Portable 0.2.8.3.2 has been released at PortableApps.com
szopin
Average Program
Posts: 57
Joined: Tue Oct 21, 2008 7:12 pm

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by szopin »

Latest binary release on Win8 hangs (probably master server down, but behaviour is absurd, freezes whole system). The wild binary alpha out there grabs mouse focus preventing alt-tab interactions, at least loads the server list (which means it's not a DOS???)
User avatar
delinquent
Match Winner
Posts: 760
Joined: Sat Jul 07, 2012 3:07 am

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by delinquent »

This happens under all the windows systems I've tried arma on. Plus, this is hardly the place for it. Make a new post in support maybe?
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by Z-Man »

delinquent wrote:This happens under all the windows systems I've tried arma on.
Maybe you could have told us earlier?
Anyway, I can't reproduce the reported behavior. Maybe it only happens at certain times, for example while the masters are under high load? Does it get reproduced in a recording? If so, gimme that!

(There is a known problem where 0.2.8 will take a LOOOOONG time to enter the server browser when DNS lookups fail a certain way. Nothing further can be done about that, sorry.)
szopin
Average Program
Posts: 57
Joined: Tue Oct 21, 2008 7:12 pm

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by szopin »

delinquent wrote:This happens under all the windows systems I've tried arma on. Plus, this is hardly the place for it. Make a new post in support maybe?
Yeah, sorry. Thought as release version matched this would be related, preffered to report in any case (especially the bad behaviour - pretending the system hangs)
szopin
Average Program
Posts: 57
Joined: Tue Oct 21, 2008 7:12 pm

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by szopin »

Z-Man wrote:
delinquent wrote:This happens under all the windows systems I've tried arma on.
Maybe you could have told us earlier?
Anyway, I can't reproduce the reported behavior. Maybe it only happens at certain times, for example while the masters are under high load? Does it get reproduced in a recording? If so, gimme that!

(There is a known problem where 0.2.8 will take a LOOOOONG time to enter the server browser when DNS lookups fail a certain way. Nothing further can be done about that, sorry.)
The masters when hanging can take looong, but you get text at the top indicating they are being queried. Probably DNS, wouldn't pointing them to 8.8.8.8 help (google's public dns so should never go down for too long)? Or is this windows and its DNS-handling related?
User avatar
delinquent
Match Winner
Posts: 760
Joined: Sat Jul 07, 2012 3:07 am

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by delinquent »

@Z-Man
I never considered it an issue, other programs have the same effect at times. I put it down to a lack of multi-tasking ability. I'm still on a Celeron :/

@szopin
Windows has various problems that lie across DNS, network allocation and the like. That, however, I do not think is the root of our problem. Any full-screen application usually takes precedence over explorer.exe, and some applications even take a handle on root keys (Start button etc) and send their various commands to the relevant program themselves.

Arma appears not to do this. It does, however, lock all other network access in the build of Windows that I run. This action is interpreted as a non responsive program, and as all explorer programs are treated as one whole program, explorer freezes.

Tl:Dr Windows is shoddy.
User avatar
Z-Man
God & Project Admin
Posts: 11585
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne
Contact:

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by Z-Man »

The known problems are DNS lookups for certain crappy dynamic dns providers. They simply time out. And lacking the proper tech, 0.2.8 is doing the requests one by one... I doubt google dns would help, the dynamic DNS TTLs are typically so low (they have to be) that they are not cached.

And yes, Windows DNS resolution is slightly crappy. NOT AS CRAPPY as the supposedly async methods of .NET http fetching classes, mind you. Grumble. They claim to be non-blocking, but still do block the first time you call them while they are trying to fetch an appropriate proxy.
User avatar
delinquent
Match Winner
Posts: 760
Joined: Sat Jul 07, 2012 3:07 am

Re: 0.2.8.3.2 released! (Plus, security issues.)

Post by delinquent »

And when they time out fetching said proxy... Bah.

I'd still take it over hash based internet any day.
Post Reply