Half-Life 1.1.0.8 Security Leak

A post on Planet Half-Life points the way to a security alert on SecurityFocus with word on a hole in the new Half-Life release that, in a reverse of the norm, could allow a server to exploit the client. The report says: "Valve Software was contacted on September 18, 2001 and informed me it will be fixed in the next patch (presumably v1.1.0.9). They did not believe it to be a serious threat." Here is a bit on the nature of the problem:
By running the command with around 128 characters it is possible to overflow the buffer and execute arbitrary code. While this problem is on the client side it is still a serious issue, since servers have a function named "g_engfuncs.pfnClientCommand" which allows the server to force clients to execute whatever console command they want. This means that this overflow can be exploited remotely by means of this function. A server administrator could easily easily take advantage of this and exploit clients automatically as they connected to the server.
View : : :
3.
 
What a load
Sep 24, 2001, 00:51
3.
What a load Sep 24, 2001, 00:51
Sep 24, 2001, 00:51
 
"Valve Software ... did not believe it to be a serious threat."

Of course they're going to say that. They have the biggest multiplayer game in history, they wouldn't say anything that might jeopardize that status, no matter how the exploit can be used.

Date
Subject
Author
1.
Sep 23, 2001Sep 23 2001
anon@64.229
2.
Sep 24, 2001Sep 24 2001
anon@213.224
 3.
Sep 24, 2001Sep 24 2001
What a load