Short description: Buffer overflows in savegame loading
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 1.1.2 up to including 1.1.2
- For version 1.1.0 up to including 1.1.1
- For version 1.0.5 up to including 1.0.5
- For version 0.7.0 up to including 0.7.5
- For version 0.6.0 up to including 0.6.3
- For version 0.5.0 up to including 0.5.3
- For version 1.0.0 up to including 1.0.4
In multiple places indices in savegames are not properly validated that allow (remote) attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
The bug is exploitable by passing someone a modified savegame, be it via a file sharing site, or by running a server. In case of the server the user only has to be able to login into the server, which is easy to accomplish: set no server password and do not ban anyone. Then upon joining the server the savegame will be downloaded and subsequently loaded.
Note that versions before 0.5.0 are vulnerable as well. However, these versions are over five years old and not supported anymore. Therefore no patches for earlier versions are provided. Before 0.3.5 it is not possible to exploit this bug via the internet as multiplayer over internet did not exist yet.