Debian Bug report logs - #174924
xboing is locally exploitable - can gain an setgid(games) shell.

version graph

Package: xboing; Maintainer for xboing is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for xboing is src:xboing.

Reported by: Steve Kemp <skx@tardis.ed.ac.uk>

Date: Wed, 1 Jan 2003 16:33:01 UTC

Severity: grave

Tags: fixed, patch, security, upstream

Found in version 2.4-26

Fixed in version xboing/2.4-28

Done: Sam Hocevar (Debian packages) <sam+deb@zoy.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alexander Kotelnikov <sacha@debian.org>, xboing@packages.qa.debian.org:
Bug#174924; Package xboing. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@tardis.ed.ac.uk>:
New Bug report received and forwarded. Copy sent to Alexander Kotelnikov <sacha@debian.org>, xboing@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@tardis.ed.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xboing is locally exploitable - can gain an setgid(games) shell.
Date: Wed, 01 Jan 2003 16:17:19 +0000
Package: xboing
Version: 2.4-26
Severity: normal
Tags: security upstream patch


xboing
------

  xboing is an attactive game based upon the old
 breakout, or arkenoid type games.

  It is available in both Debian stable, and unstable
 distributions.


vulnerability
-------------

  Due to improper bounds checking it is possible for
 a malicious user to gain a shell with membership
 group 'games'.  (The binary is installed setgid games).


details
-------

  Environmental variables are used without being
 bounds-checked in any way, from the source code:

highscore.c:
   /* Use the environment variable if it exists */
   if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
	strcpy(filename, str);
   else
	strcpy(filename, HIGH_SCORE_FILE);

misc.c:
    if ((ptr = getenv("HOME")) != NULL)
        (void) strcpy(dest, ptr);


   Neither of these checks are boundschecked, and will allow
 arbitary shell code to be run.

   There are other, similar, pieces of code.  I believe the 
 enclosed patch spots them all.


demonstration
-------------

   The following shell sessions shows the instruction pointer
 'eip' being overwritten with user supplied data, taken from
 the environmental variable(s).


skx@hell:~$ export XBOING_SCORE_FILE=`perl -e 'print "x" x 5000'`
skx@hell:~$ export HOME=`perl -e 'print "x" x 5000'`
skx@hell:~$ gdb /usr/games/xboing
GNU gdb 5.3-debian
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...(no debugging symbols found)...
(gdb) r
Starting program: /usr/games/xboing 
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
XBoing - Please wait Steve Kemp, initialising xboing ...
int_snddev: Cannot open sound device 
Can't init soundIt library. yech..
XBoing - Warning: Audio unavailable or not supported.
XBoing - Warning: Cannot open high score file for reading.
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x78787878 in ?? ()
(gdb) info all
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x9      9
esp            0xbfffd1d0       0xbfffd1d0
ebp            0x78787878       0x78787878
esi            0x26e    622
edi            0x80f6f28        135229224
eip            0x78787878       0x78787878   <<<<<< Bingo.  Ahem.
eflags         0x10246  66118


patch
-----

  The enclosed patches fix up this improper uses.

Steve
---
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

--- demo.c-orig	2003-01-01 16:11:27.000000000 +0000
+++ demo.c	2003-01-01 16:11:35.000000000 +0000
@@ -154,7 +154,7 @@
 
     /* Construct the demo level filename */
     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
-        sprintf(levelPath, "%s/demo.data", str);
+        snprintf(levelPath, sizeof(levelPath),"%s/demo.data", str);
     else
         sprintf(levelPath, "%s/demo.data", LEVEL_INSTALL_DIR);
 
--- editor.c-orig	2003-01-01 16:10:36.000000000 +0000
+++ editor.c	2003-01-01 16:11:15.000000000 +0000
@@ -213,7 +213,7 @@
 
     /* Construct the Edit level filename */
     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
-        sprintf(levelPath, "%s/editor.data", str);
+        snprintf(levelPath,sizeof(levelPath)-1, "%s/editor.data", str);
     else
         sprintf(levelPath, "%s/editor.data", LEVEL_INSTALL_DIR);
 
@@ -958,8 +958,8 @@
     if ((num > 0) && (num <= MAX_NUM_LEVELS))
     {
 	    /* Construct the Edit level filename */
-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
+ 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+        	snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
     	else
         	sprintf(levelPath, "%s/level%02ld.data", 
 				LEVEL_INSTALL_DIR, (u_long) num);
@@ -1017,9 +1017,9 @@
     num = atoi(str);
     if ((num > 0) && (num <= MAX_NUM_LEVELS))
     {
-	    /* Construct the Edit level filename */
-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
+        /* Construct the Edit level filename */
+ 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+        	snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
     	else
         	sprintf(levelPath, "%s/level%02ld.data", 
 				LEVEL_INSTALL_DIR, (u_long) num);
--- file.c-orig	2003-01-01 16:11:50.000000000 +0000
+++ file.c	2003-01-01 16:11:58.000000000 +0000
@@ -139,7 +139,7 @@
 
     /* Construct the level filename */
     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
-        sprintf(levelPath, "%s/level%02ld.data", str, newLevel);
+        snprintf(levelPath,sizeof(levelPath), "%s/level%02ld.data", str, newLevel);
     else
         sprintf(levelPath, "%s/level%02ld.data", LEVEL_INSTALL_DIR, newLevel);
 
--- highscore.c-orig	2003-01-01 16:08:42.000000000 +0000
+++ highscore.c	2003-01-01 16:09:22.000000000 +0000
@@ -1023,7 +1023,7 @@
 	{
 		/* Use the environment variable if it exists */
 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
-			strcpy(filename, str);
+			strncpy(filename, str, sizeof(filename)-1);
 		else
 			strcpy(filename, HIGH_SCORE_FILE);
 	}
@@ -1095,7 +1095,7 @@
 	{
 		/* Use the environment variable if it exists */
 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
-			strcpy(filename, str);
+			strncpy(filename, str, sizeof(filename)-1);
 		else
 			strcpy(filename, HIGH_SCORE_FILE);
 	}	
@@ -1218,7 +1218,7 @@
 
 	/* Use the environment variable if it exists */
 	if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
-		strcpy(filename, str);
+		strncpy(filename, str, sizeof(filename)-1);
 	else
 		strcpy(filename, HIGH_SCORE_FILE);
 
--- misc.c-orig	2003-01-01 16:12:15.000000000 +0000
+++ misc.c	2003-01-01 16:12:35.000000000 +0000
@@ -431,7 +431,7 @@
      */
 
     if ((ptr = getenv("HOME")) != NULL)
-        (void) strcpy(dest, ptr);
+        (void) strncpy(dest, ptr,sizeof(dest)-1);
     else
     {
         /* HOME variable is not present so get USER var */
--- preview.c-orig	2003-01-01 16:10:16.000000000 +0000
+++ preview.c	2003-01-01 16:10:23.000000000 +0000
@@ -139,7 +139,7 @@
 
     /* Construct the Preview level filename */
     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
-        sprintf(levelPath, "%s/level%02d.data", str, lnum);
+        snprintf(levelPath, sizeof(levelPath)-1, "%s/level%02d.data", str, lnum);
     else
         sprintf(levelPath, "%s/level%02d.data", LEVEL_INSTALL_DIR, lnum);
 

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hell.my.flat 2.4.19 #7 Fri Aug 16 23:28:59 BST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages xboing depends on:
ii  libc6                         2.3.1-8    GNU C Library: Shared libraries an
ii  xlibs                         4.2.1-4    X Window System client libraries

-- no debconf information




Severity set to `grave'. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@tardis.ed.ac.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 174924-close@bugs.debian.org (full text, mbox):

From: Sam Hocevar (Debian packages) <sam+deb@zoy.org>
To: 174924-close@bugs.debian.org
Subject: Bug#174924: fixed in xboing 2.4-28
Date: Tue, 30 May 2006 07:02:22 -0700
Source: xboing
Source-Version: 2.4-28

We believe that the bug you reported is fixed in the latest version of
xboing, which is due to be installed in the Debian FTP archive:

xboing_2.4-28.diff.gz
  to pool/main/x/xboing/xboing_2.4-28.diff.gz
xboing_2.4-28.dsc
  to pool/main/x/xboing/xboing_2.4-28.dsc
xboing_2.4-28_i386.deb
  to pool/main/x/xboing/xboing_2.4-28_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 174924@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <sam+deb@zoy.org> (supplier of updated xboing package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 30 May 2006 12:43:58 +0200
Source: xboing
Binary: xboing
Architecture: source i386
Version: 2.4-28
Distribution: unstable
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Sam Hocevar (Debian packages) <sam+deb@zoy.org>
Description: 
 xboing     - blockout game for X
Closes: 141656 174924 230617 235599 333286 346791 367840
Changes: 
 xboing (2.4-28) unstable; urgency=low
 .
   * New maintainer.
   * Maintainer upload.
   * Acknowledge previous NMUs (Closes: #141656, #333286, #235599, #230617,
     Closes: #367840, #346791, #174924). Thanks to Marc 'HE' Brockschmidt
     and Steve Kemp.
 .
   * Moved packaging to the Debian Games Team.
   * Use quilt for patch management.
   * debian/control:
     + Build-depend on quilt.
     + Removed deprecated conflict with suidmanager.
     + Uncapitalised short description.
   * debian/rules:
     + Use dh_installman instead of dh_installmanpages.
     + Ship the executable root:root 0755, it is changed in the postinst
       script instead.
     + Fixed bashisms in the package rules.
Files: 
 25361a3821d1b2a2e0591fc209d13aff 696 games optional xboing_2.4-28.dsc
 b11f5832233771a479dd7b2c1e664348 17370 games optional xboing_2.4-28.diff.gz
 020100d9ffcb249db623a63a420d3ae5 512218 games optional xboing_2.4-28_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEfE0QfPP1rylJn2ERAlEFAKCRNUrRffznvbC6K1lBMya4EwzQ6wCfZ0LR
hlDoBqkDzO4J059GTTNP4jg=
=Hgpy
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 22:18:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:40:46 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.