View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000877||LDMud 3.6||Implementation||public||2020-04-27 07:48||2020-04-28 23:47|
|Target Version||3.6.2||Fixed in Version||3.6.2|
|Summary||0000877: snoop() adds junk data to input commands|
|Description||Checking the snoop function in the 3.6 series, it appears that the snooper can see remainders of previously input commands in the snooped text.|
For example: the the snoopee types in "get all", the snooper sees "%get all". But if the snooper types the command "l" next, the snooper sees "%let all" (the new command combined with a remainder of the old command). This only affects input text, output is unaffected. The snoopee sees nothing unusual, just the snooper.
|Tags||No tags attached.|
Just this evening I got a report from two wizards reporting a similar problem.
A short check: this is not limited to snoopee and snooper: the snooper gets commands from arbitrary players in the mud with the beginning overwritten by the command of the snoopee.
It seems, a static buffer used in the process is not cleared before.
With this bug it is possible to read commands from third-parties, which is bad enough. But with the correct timing of a cooperating snoopee and snooper (or just bad luck), a snooper can also get to know the password of third-parties, especially in muds with little activity. This was actually demonstrated by a wizard from us in his homemud.
Therefore, we I have increased the priority on this one, but can only have a look this evening. I think, this also merits a fast bugfix release.
||Wow, that got serious quick. Yes, I agree it's a security issue at this point and merits a bugfix release.|
||Indeed. Fortunately, Gnomi has a fix for the issue ready and we will prepare a release (also including some other fixes) and announcement soon.|
3.6.2 was just released and fixes the problem. Thank you for reporting!
|2020-04-27 07:48||iago4||New Issue|
|2020-04-28 01:40||zesstra||Note Added: 0002524|
|2020-04-28 09:38||zesstra||Priority||normal => immediate|
|2020-04-28 09:38||zesstra||Severity||minor => block|
|2020-04-28 09:38||zesstra||Status||new => confirmed|
|2020-04-28 09:38||zesstra||Note Added: 0002525|
|2020-04-28 09:39||zesstra||Project||LDMud => LDMud 3.6|
|2020-04-28 09:41||zesstra||Product Version||=> 3.6.1|
|2020-04-28 09:41||zesstra||Target Version||=> 3.6.2|
|2020-04-28 09:42||zesstra||View Status||public => private|
|2020-04-28 21:54||iago4||Note Added: 0002526|
|2020-04-28 21:57||zesstra||Note Added: 0002527|
|2020-04-28 23:24||zesstra||View Status||private => public|
|2020-04-28 23:44||zesstra||Status||confirmed => closed|
|2020-04-28 23:44||zesstra||Resolution||open => fixed|
|2020-04-28 23:44||zesstra||Fixed in Version||=> 3.6.2|
|2020-04-28 23:44||zesstra||Note Added: 0002528|
|2020-04-28 23:47||zesstra||Status||closed => resolved|