Slashdot Mirror

← Back to Stories (view on slashdot.org)

Half-Life Vulnerabilities Exposed, Patched

Posted by simoniker on from the publicized-then-fixed dept.

AEton writes "PivX Solutions revealed in a press release three apparently new vulnerabilities in Half-Life and its related mods (such as Counter-Strike and Day of Defeat). Security researcher Auriemma Luigi discovered the flaws, reported them to Valve, and waited over three months for an official response before releasing an unofficial patch to correct the issues. Details on each of the vulnerabilities and sample code are linked to in the press release. (The third one looks kind of flaky, but the buffer overflows seem real.)" Thanks to an anonymous reader for pointing out Valve have now released a dedicated Windows server patch and dedicated Linux server patch (links via Fileshack) which seem to fix the issues.

8 of 36 comments (clear)

  1. 3 months by Taral · · Score: 3, Interesting

    I'm appalled that it apparently took a public release to get them to patch the servers. It would have been trivial for Valve to slide this into a patch and release it to everyone.

    What possible rationale do they have for not fixing it in <b>3 months</b>?

    --
    Taral

    WARN_(accel)("msg null; should hang here to be win compatible\n");
    -- WINE source code

    1. Re:3 months by breon.halling · · Score: 4, Insightful

      What possible rationale do they have for not fixing it in 3 months?

      Hmmm. Maybe they were busy working on Half-Life 2? ;)

      Seriously, though: considering Half-Life's age, I find it amazing it got patched at all! Half was released at the end of 1998, making it almost 5 years old. I can't think of many other games (or even applications, for that matter) that still get support after such a length of time.

      --
      "Yeah, well, Dracula called and he's coming over tonight for you and I said okay."
  2. Not good enough by sevensharpnine · · Score: 3, Insightful

    They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life. This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client. This is just more of the same old excellent community support from Valve.

    --
    "God is a comedian playing to an audience too afraid to laugh." -Voltaire
    1. Re:Not good enough by ceejayoz · · Score: 3, Insightful

      Most Windows-only games have Linux servers - the added stability is beneficial for a server (and most rent-a-server places have Linux, anyways) but not necessary for just the game client.

      I imagine it's substantially easier to code a cross-platform server than it is to code a similar client.

    2. Re:Not good enough by Hard_Code · · Score: 4, Interesting

      "They still haven't fixed VAC (valve anti-cheat) so wine users can play Half-Life."

      And why should they burn money supporting a niche customer base which either 1) won't pay for software or 2) already has a copy of the windows version of a game that is OVER FIVE YEARS OLD? There are like, 3 people that play half life through wine.

      "This doesn't stop them from assuming Linux fans will host their games via dedicated servers though. I'm still a little pissed off that they think Linux is good enough to host their games but not worthy of a client."

      They don't assume shit. Linux is a popular server operating system that is run by MANY hosting services, so naturally they would port the dedicated server to linux. The dedicated server is much easier to port than the full blown client with graphics (duh).

      "This is just more of the same old excellent community support from Valve."

      Let's see:

      * publish half life sdk with tools, source, and documentation
      * maintain strong mod community relationships with valve-erc website
      * support popular mods: socially, technically, financially, etc.
      * listen to the incessent bitching of every kiddie who wants something for nothing

      Yeah, I'd say it is excellent support. Quityerbitchin.

      --

      It's 10 PM. Do you know if you're un-American?
    3. Re:Not good enough by sevensharpnine · · Score: 3, Insightful

      My problem is that Valve thinks it's cool for me to run a server for their game even though I can't play it. That bugs me. I can respect that the financial decision to make a client might not be a great idea today, but there was certainly a time when it would have made sense. I, along with many others, would happily pay for a Linux client. I never once said they should do it for free. I don't expect things like that from game companies. As far as fixing wine, that might take a precious hour or two away from their team. Or they could have told people roughly how VAC would work client-side so the wine team and contributors could work around it.

      As far as your other points, I think you need to sit back and take a look at just what you're defending. The SDK was cool, fine, but the financial support was simply good business. I have no doubt that they've made far more money from CS, DOD, etc. than they've given in financial support. The mod community has contributed significantly to the success of Half-Life.

      Valve has set up a very complex network of mod developers to make money off of. I don't think you have the tools to realize it at this point, but you're being strung around like some corporate fanboy tool. Valve has very carefully crafted themselves in this we're-just-like-you-gamers image. In turn, they receive untold amount of defense from almost all of their fans. I hate to tell you this, but Valve honestly doesn't care about you or the mod community. As long as it's profitable, they'll continue on as they have been. This isn't necessarily wrong, mind you, but I see no reason for you to champion them as this gracious benefactor to the gaming industry. In reality, they're a business out to make money.

      Even though I'm complaining about Valve, this argument could be applied to almost any big game company. I've just been dissapointed in the way things have been turning out lately. Games are watered-down to be "accessible" to as many people as possible. Slick advertisements and clever lures get massive amounts of people to pre-order games they haven't even played. Corporate branding creates legions of blind fanboys running about the 'net exalting their favorite companies. I'm not asking for anything too big here. I'd just like to see a few more companies that genuinely care about their fans and strive for positive long-term relationships and not this short-term profitability. Valve could have been one of them. Unfortunately, success killed them.

      --
      "God is a comedian playing to an audience too afraid to laugh." -Voltaire
  3. Hehe..."security researcher" by 0x0d0a · · Score: 3, Funny

    There's a lot of "security researcher"s out there. :-)

    --
    May we never see th
  4. Patch Status by BrookHarty · · Score: 4, Insightful

    When I saw the news on Bugtrack, i posted the information on planethalflife forums and a few other places. Was rather surprised that nobody posted it on the HL forums.

    And all those "HL is old" posts, "let it die", are posted by morons. CompuUSA has HL selling for 45 bux for the entire collection. They are selling the collections and still making money! The Mods alone make the HL series worth the money. Day of defeat just came out, and it rocks, the mod even made its own release like CounterStrike.

    Gamespy reports that 27,000+ HL servers are running, compare that to Tribes at 700. The game is STILL selling, no reason not to patch an active cash cow. I respect Valve for supporting us, after a bad experience on Tribes2 support, Sierra needs some good karma.

    BTW, Natural Selection HL mod rocks. Too bad its not well known. (Think AVP+Tribes+CC+WC3)