View Issue Details

IDProjectCategoryView StatusLast Update
0000877LDMud 3.6Implementationpublic2020-04-28 21:47
Reporteriago4 Assigned To 
PriorityimmediateSeverityblockReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.6.1 
Target Version3.6.2Fixed in Version3.6.2 
Summary0000877: snoop() adds junk data to input commands
DescriptionChecking the snoop function in the 3.6 series, it appears that the snooper can see remainders of previously input commands in the snooped text.

For example: the the snoopee types in "get all", the snooper sees "%get all". But if the snooper types the command "l" next, the snooper sees "%let all" (the new command combined with a remainder of the old command). This only affects input text, output is unaffected. The snoopee sees nothing unusual, just the snooper.
TagsNo tags attached.

Activities

zesstra

2020-04-27 23:40

administrator   ~0002524

Just this evening I got a report from two wizards reporting a similar problem.

A short check: this is not limited to snoopee and snooper: the snooper gets commands from arbitrary players in the mud with the beginning overwritten by the command of the snoopee.
It seems, a static buffer used in the process is not cleared before.

zesstra

2020-04-28 07:38

administrator   ~0002525

With this bug it is possible to read commands from third-parties, which is bad enough. But with the correct timing of a cooperating snoopee and snooper (or just bad luck), a snooper can also get to know the password of third-parties, especially in muds with little activity. This was actually demonstrated by a wizard from us in his homemud.

Therefore, we I have increased the priority on this one, but can only have a look this evening. I think, this also merits a fast bugfix release.

iago4

2020-04-28 19:54

reporter   ~0002526

Wow, that got serious quick. Yes, I agree it's a security issue at this point and merits a bugfix release.

zesstra

2020-04-28 19:57

administrator   ~0002527

Indeed. Fortunately, Gnomi has a fix for the issue ready and we will prepare a release (also including some other fixes) and announcement soon.

zesstra

2020-04-28 21:44

administrator   ~0002528

3.6.2 was just released and fixes the problem. Thank you for reporting!

Issue History

Date Modified Username Field Change
2020-04-27 05:48 iago4 New Issue
2020-04-27 23:40 zesstra Note Added: 0002524
2020-04-28 07:38 zesstra Priority normal => immediate
2020-04-28 07:38 zesstra Severity minor => block
2020-04-28 07:38 zesstra Status new => confirmed
2020-04-28 07:38 zesstra Note Added: 0002525
2020-04-28 07:39 zesstra Project LDMud => LDMud 3.6
2020-04-28 07:41 zesstra Product Version => 3.6.1
2020-04-28 07:41 zesstra Target Version => 3.6.2
2020-04-28 07:42 zesstra View Status public => private
2020-04-28 19:54 iago4 Note Added: 0002526
2020-04-28 19:57 zesstra Note Added: 0002527
2020-04-28 21:24 zesstra View Status private => public
2020-04-28 21:44 zesstra Status confirmed => closed
2020-04-28 21:44 zesstra Resolution open => fixed
2020-04-28 21:44 zesstra Fixed in Version => 3.6.2
2020-04-28 21:44 zesstra Note Added: 0002528
2020-04-28 21:47 zesstra Status closed => resolved