View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000877 | LDMud 3.6 | Implementation | public | 2020-04-27 05:48 | 2020-04-28 21:47 |
| Reporter | iago4 | Assigned To | |||
| Priority | immediate | Severity | block | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 3.6.1 | ||||
| Target Version | 3.6.2 | Fixed in Version | 3.6.2 | ||
| Summary | 0000877: snoop() adds junk data to input commands | ||||
| Description | Checking the snoop function in the 3.6 series, it appears that the snooper can see remainders of previously input commands in the snooped text. For example: the the snoopee types in "get all", the snooper sees "%get all". But if the snooper types the command "l" next, the snooper sees "%let all" (the new command combined with a remainder of the old command). This only affects input text, output is unaffected. The snoopee sees nothing unusual, just the snooper. | ||||
| Tags | No tags attached. | ||||
|
|
Just this evening I got a report from two wizards reporting a similar problem. A short check: this is not limited to snoopee and snooper: the snooper gets commands from arbitrary players in the mud with the beginning overwritten by the command of the snoopee. It seems, a static buffer used in the process is not cleared before. |
|
|
With this bug it is possible to read commands from third-parties, which is bad enough. But with the correct timing of a cooperating snoopee and snooper (or just bad luck), a snooper can also get to know the password of third-parties, especially in muds with little activity. This was actually demonstrated by a wizard from us in his homemud. Therefore, we I have increased the priority on this one, but can only have a look this evening. I think, this also merits a fast bugfix release. |
|
|
Wow, that got serious quick. Yes, I agree it's a security issue at this point and merits a bugfix release. |
|
|
Indeed. Fortunately, Gnomi has a fix for the issue ready and we will prepare a release (also including some other fixes) and announcement soon. |
|
|
3.6.2 was just released and fixes the problem. Thank you for reporting! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-04-27 05:48 | iago4 | New Issue | |
| 2020-04-27 23:40 | zesstra | Note Added: 0002524 | |
| 2020-04-28 07:38 | zesstra | Priority | normal => immediate |
| 2020-04-28 07:38 | zesstra | Severity | minor => block |
| 2020-04-28 07:38 | zesstra | Status | new => confirmed |
| 2020-04-28 07:38 | zesstra | Note Added: 0002525 | |
| 2020-04-28 07:39 | zesstra | Project | LDMud => LDMud 3.6 |
| 2020-04-28 07:41 | zesstra | Product Version | => 3.6.1 |
| 2020-04-28 07:41 | zesstra | Target Version | => 3.6.2 |
| 2020-04-28 07:42 | zesstra | View Status | public => private |
| 2020-04-28 19:54 | iago4 | Note Added: 0002526 | |
| 2020-04-28 19:57 | zesstra | Note Added: 0002527 | |
| 2020-04-28 21:24 | zesstra | View Status | private => public |
| 2020-04-28 21:44 | zesstra | Status | confirmed => closed |
| 2020-04-28 21:44 | zesstra | Resolution | open => fixed |
| 2020-04-28 21:44 | zesstra | Fixed in Version | => 3.6.2 |
| 2020-04-28 21:44 | zesstra | Note Added: 0002528 | |
| 2020-04-28 21:47 | zesstra | Status | closed => resolved |
