Report forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>: Bug#203541; Package crafty.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: crafty.bin locally exploitable to gain gid 'games'.
Date: Wed, 30 Jul 2003 20:15:57 +0100
Package: crafty
Version: 19.1-1
Severity: normal
Tags: security upstream patch
Intro
-----
crafty is the strong chess program played on ICC.
It installs a file 'crafty.bin' upon both Debian Stable, and Debian
unstable as setgid games:
skx@hell:~$ ls -l /usr/games/crafty*
-rwxr-xr-x 1 root root 384 Dec 17 2002 /usr/games/crafty
-rwxr-sr-x 1 root games 1128712 Dec 17 2002 /usr/games/crafty.bin
Problems
--------
The setgid file, crafty.bin, contains a pair of flaws in it's command
line handling.
Both flaws are essentially the same, and involve a lack of bounds checking
on the arguments supplied by the user.
Either of these flaws allow a malicious local user to gain group 'games'
permissions.
From main.c:2901
else if (strstr(argv[i],"path")) {
strcpy(buffer,argv[i]);
result=Option(tree);
if (result == 0)
printf("ERROR \"%s\" is unknown command-line option\n",buffer);
display=tree->pos;
}
main.c:2934
if (argc > 1) {
for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
if ((argv[i][0]<'0' || argv[i][0] > '9') &&
!strstr(argv[i],"path")) {
strcpy(buffer,argv[i]);
result=Option(tree);
if (result == 0)
printf("ERROR \"%s\" is unknown command-line option\n",buffer);
}
}
Exploit
-------
Sample exploit code for the first issue is available upon request,
I've not included it here as it's not terribly interesting.
Fixes
-----
The supplied diff, which has been compiled and tested, will close
both these issues.
Steve
---
www.steve.org.uk
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hell.my.flat 2.4.21 #1 Fri Jun 13 21:42:54 BST 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages crafty depends on:
ii libc6 2.3.1-17 GNU C Library: Shared libraries an
-- no debconf information
--- main.c-orig 2003-07-30 19:57:32.000000000 +0100
+++ main.c 2003-07-30 19:58:13.000000000 +0100
@@ -2982,7 +2982,8 @@
i++;
}
else if (strstr(argv[i],"path")) {
- strcpy(buffer,argv[i]);
+ memset(buffer,'\0',sizeof(buffer));
+ strncpy(buffer,argv[i],sizeof(buffer)-1);
result=Option(tree);
if (result == 0)
printf("ERROR \"%s\" is unknown command-line option\n",buffer);
@@ -3014,7 +3015,8 @@
for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
if ((argv[i][0]<'0' || argv[i][0] > '9') &&
!strstr(argv[i],"path")) {
- strcpy(buffer,argv[i]);
+ memset(buffer,'\0',sizeof(buffer));
+ strncpy(buffer,argv[i],sizeof(buffer)-1);
result=Option(tree);
if (result == 0)
printf("ERROR \"%s\" is unknown command-line option\n",buffer);
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>: Bug#203541; Package crafty.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>.
(full text, mbox, link).
We believe that the bug you reported is fixed in the latest version of
crafty, which is due to be installed in the Debian FTP archive:
crafty_19.3-1.diff.gz
to pool/non-free/c/crafty/crafty_19.3-1.diff.gz
crafty_19.3-1.dsc
to pool/non-free/c/crafty/crafty_19.3-1.dsc
crafty_19.3-1_i386.deb
to pool/non-free/c/crafty/crafty_19.3-1_i386.deb
crafty_19.3.orig.tar.gz
to pool/non-free/c/crafty/crafty_19.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 203541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Van Buggenhaut <ericvb@debian.org> (supplier of updated crafty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 2 Aug 2003 04:14:34 +0200
Source: crafty
Binary: crafty
Architecture: source i386
Version: 19.3-1
Distribution: unstable
Urgency: low
Maintainer: Eric Van Buggenhaut <ericvb@debian.org>
Changed-By: Eric Van Buggenhaut <ericvb@debian.org>
Description:
crafty - State-of-the-art chess engine, compatible with xboard
Closes: 203179203541
Changes:
crafty (19.3-1) unstable; urgency=low
.
* New upstream release
* fixed security hole (CAN-2003-0612) in main.c (closes: #203541)
thus priority set to important
* separate i386 and non-i386 build targets (closes: #203179)
Files:
3310b93ff94ebe1dcaef4e823fb20aed 561 non-free/games important crafty_19.3-1.dsc
e575101ac28e94bbf0eb4e230edeacb9 380988 non-free/games important crafty_19.3.orig.tar.gz
4cead34dc4a369d2c7594cb729b4c990 41772 non-free/games important crafty_19.3-1.diff.gz
e67ef20df57ec4e18e81722ae35b4948 349502 non-free/games important crafty_19.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/LF8A4VLuWbCehTARAhL0AJ4+eRYtO2X2GwSd8PhaBFL0M7/0RACgn1E+
ZuNWkYC9EjwEfB7OG70D2Uo=
=DYl8
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>: Bug#203541; Package crafty.
(full text, mbox, link).
Acknowledgement sent to Eric.VanBuggenhaut@AdValvas.be:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>.
(full text, mbox, link).
On Wed, Jul 30, 2003 at 10:53:19PM -0400, Matt Zimmerman wrote:
> This is now CAN-2003-0612.
>
Thanks for informing.
At the moment this advisory is under review, I can't any detail from
CVE web page. My question is: How do I inform CVE that the bug has
been fixed in a new upload ?
Cheers,
--
Eric VAN BUGGENHAUT
ericvb@debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>: Bug#203541; Package crafty.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>.
(full text, mbox, link).
On Sun, Aug 03, 2003 at 04:14:17AM +0200, Eric Van Buggenhaut wrote:
> On Wed, Jul 30, 2003 at 10:53:19PM -0400, Matt Zimmerman wrote:
> > This is now CAN-2003-0612.
>
> Thanks for informing.
>
> At the moment this advisory is under review, I can't any detail from
> CVE web page. My question is: How do I inform CVE that the bug has
> been fixed in a new upload ?
CVE does not attempt to exhaustively catalogue which versions and packages
are affected, only to standardize a set of names for known vulnerabilities
so that they can be cross-referenced.
http://cve.mitre.org/about/
So, it is not necessary to send this kind of information to CVE. Since I
forwarded them the original bug report, the entry for CAN-2003-0612 should
contain a reference this bug report once it is publicized.
Thanks for fixing the bug.
--
- mdz
We believe that the bug you reported is fixed in the latest version of
lsb, which is due to be installed in the Debian FTP archive:
lsb_1.3-3.dsc
to pool/main/l/lsb/lsb_1.3-3.dsc
lsb_1.3-3.tar.gz
to pool/main/l/lsb/lsb_1.3-3.tar.gz
lsb_1.3-3_all.deb
to pool/main/l/lsb/lsb_1.3-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 203541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lawrence <lawrencc@debian.org> (supplier of updated lsb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 8 Aug 2003 18:13:08 -0400
Source: lsb
Binary: lsb
Architecture: source all
Version: 1.3-3
Distribution: unstable
Urgency: low
Maintainer: Chris Lawrence <lawrencc@debian.org>
Changed-By: Chris Lawrence <lawrencc@debian.org>
Description:
lsb - Linux Standard Base 1.3 core support package
Closes: 202692203541203545
Changes:
lsb (1.3-3) unstable; urgency=low
.
* Depend on pax. (Closes: #203545)
* Add ld.so symlink for ia64. (Closes: #203541)
* Improved French translation. (Closes: #202692)
Files:
dd70616f8a8d37c5cd9e531886af8d9a 804 misc extra lsb_1.3-3.dsc
3d20e831191e1e47ce91e5d7dec798d3 19847 misc extra lsb_1.3-3.tar.gz
1a07b8e9bbf305dfa3c3c29e3fe8794a 20944 misc extra lsb_1.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iQEXAwUBPzQgkVxpg5e5AmZiFAJTrwQAoiCnblUutoCR/AMlt/pg8Vu4xRVnO5SQ
I8iz9G8Bm+2rHzc8EhEwTnZgRq1aQ6AZiz5erSWZyO5fGhxyw5D7/RhRukMv3zpc
TMi4BiYS/QOWlhS9PmowgaBreg1tZydAi5Tw4phDWbdUOqKFbOk9CHJxbMvjEpnT
19VzvTroVcMEALXP+2qTgWpfiObVN4MyLn34UNxETL5KeKPbehvwnDBvN8PKjf3a
QzmSQk69yIhZFgrrOzY9jR567+8BI0C2gQwzv4nWm1tSqcaPar2eGAxQluIivo83
J6dpwYpVZ61Q16/vWvhHX91AiOb53vyp7AsoLxFs6imXCEl1V+68Ic8R
=SUYV
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Chris Lawrence <lawrencc@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Steve Kemp <skx@debian.org>
Request was from Eric Van Buggenhaut <ericvb@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.