Debian Bug report logs - #203541
crafty.bin locally exploitable to gain gid 'games'.

version graph

Package: crafty; Maintainer for crafty is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for crafty is src:crafty (PTS, buildd, popcon).

Reported by: Steve Kemp <skx@debian.org>

Date: Wed, 30 Jul 2003 19:33:03 UTC

Severity: critical

Tags: patch, security, upstream

Found in version 19.1-1

Fixed in versions crafty/19.3-1, lsb/1.3-3

Done: Eric.VanBuggenhaut@AdValvas.be

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>:
Bug#203541; Package crafty. (full text, mbox, link).


Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: crafty.bin locally exploitable to gain gid 'games'.
Date: Wed, 30 Jul 2003 20:15:57 +0100
Package: crafty
Version: 19.1-1
Severity: normal
Tags: security upstream patch



Intro
-----

  crafty is the strong chess program played on ICC.

  It installs a file 'crafty.bin' upon both Debian Stable, and Debian
 unstable as setgid games:


skx@hell:~$ ls -l /usr/games/crafty*
-rwxr-xr-x    1 root     root          384 Dec 17  2002 /usr/games/crafty
-rwxr-sr-x    1 root     games     1128712 Dec 17  2002 /usr/games/crafty.bin


Problems
--------

  The setgid file, crafty.bin, contains a pair of flaws in it's command
 line handling.  

  Both flaws are essentially the same, and involve a lack of bounds checking
 on the arguments supplied by the user.
  Either of these flaws allow a malicious local user to gain group 'games'
 permissions.


  From main.c:2901
      else if (strstr(argv[i],"path")) {
        strcpy(buffer,argv[i]);
        result=Option(tree);
        if (result == 0)
          printf("ERROR \"%s\" is unknown command-line option\n",buffer);
        display=tree->pos;
      }


      main.c:2934
      if (argc > 1) {
      for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
	  if ((argv[i][0]<'0' || argv[i][0] > '9') &&
	     !strstr(argv[i],"path")) {
	    strcpy(buffer,argv[i]);
            result=Option(tree);
            if (result == 0)
             printf("ERROR \"%s\" is unknown command-line option\n",buffer);
          }
      }


Exploit
-------

  Sample exploit code for the first issue is available upon request,
 I've not included it here as it's not terribly interesting.


Fixes
-----

  The supplied diff, which has been compiled and tested, will close 
 both these issues.


Steve
---
www.steve.org.uk




-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hell.my.flat 2.4.21 #1 Fri Jun 13 21:42:54 BST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages crafty depends on:
ii  libc6                         2.3.1-17   GNU C Library: Shared libraries an

-- no debconf information



--- main.c-orig	2003-07-30 19:57:32.000000000 +0100
+++ main.c	2003-07-30 19:58:13.000000000 +0100
@@ -2982,7 +2982,8 @@
         i++;
       }
       else if (strstr(argv[i],"path")) {
-        strcpy(buffer,argv[i]);
+	memset(buffer,'\0',sizeof(buffer));
+        strncpy(buffer,argv[i],sizeof(buffer)-1);
         result=Option(tree);
         if (result == 0)
           printf("ERROR \"%s\" is unknown command-line option\n",buffer);
@@ -3014,7 +3015,8 @@
     for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
       if ((argv[i][0]<'0' || argv[i][0] > '9') &&
           !strstr(argv[i],"path")) {
-        strcpy(buffer,argv[i]);
+	memset(buffer,'\0',sizeof(buffer));
+        strncpy(buffer,argv[i],sizeof(buffer)-1);
         result=Option(tree);
         if (result == 0)
           printf("ERROR \"%s\" is unknown command-line option\n",buffer);




Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>:
Bug#203541; Package crafty. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>. (full text, mbox, link).


Message #10 received at 203541@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 203541@bugs.debian.org
Subject: CVE assignment
Date: Wed, 30 Jul 2003 22:53:19 -0400
This is now CAN-2003-0612.

-- 
 - mdz



Severity set to `critical'. Request was from Eric Van Buggenhaut <ericvb@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Eric Van Buggenhaut <ericvb@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #17 received at 203541-close@bugs.debian.org (full text, mbox, reply):

From: Eric Van Buggenhaut <ericvb@debian.org>
To: 203541-close@bugs.debian.org
Subject: Bug#203541: fixed in crafty 19.3-1
Date: Sat, 02 Aug 2003 21:32:20 -0400
We believe that the bug you reported is fixed in the latest version of
crafty, which is due to be installed in the Debian FTP archive:

crafty_19.3-1.diff.gz
  to pool/non-free/c/crafty/crafty_19.3-1.diff.gz
crafty_19.3-1.dsc
  to pool/non-free/c/crafty/crafty_19.3-1.dsc
crafty_19.3-1_i386.deb
  to pool/non-free/c/crafty/crafty_19.3-1_i386.deb
crafty_19.3.orig.tar.gz
  to pool/non-free/c/crafty/crafty_19.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 203541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Van Buggenhaut <ericvb@debian.org> (supplier of updated crafty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  2 Aug 2003 04:14:34 +0200
Source: crafty
Binary: crafty
Architecture: source i386
Version: 19.3-1
Distribution: unstable
Urgency: low
Maintainer: Eric Van Buggenhaut <ericvb@debian.org>
Changed-By: Eric Van Buggenhaut <ericvb@debian.org>
Description: 
 crafty     - State-of-the-art chess engine, compatible with xboard
Closes: 203179 203541
Changes: 
 crafty (19.3-1) unstable; urgency=low
 .
   * New upstream release
   * fixed security hole (CAN-2003-0612) in main.c (closes: #203541)
     thus priority set to important
   * separate i386 and non-i386 build targets (closes: #203179)
Files: 
 3310b93ff94ebe1dcaef4e823fb20aed 561 non-free/games important crafty_19.3-1.dsc
 e575101ac28e94bbf0eb4e230edeacb9 380988 non-free/games important crafty_19.3.orig.tar.gz
 4cead34dc4a369d2c7594cb729b4c990 41772 non-free/games important crafty_19.3-1.diff.gz
 e67ef20df57ec4e18e81722ae35b4948 349502 non-free/games important crafty_19.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/LF8A4VLuWbCehTARAhL0AJ4+eRYtO2X2GwSd8PhaBFL0M7/0RACgn1E+
ZuNWkYC9EjwEfB7OG70D2Uo=
=DYl8
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>:
Bug#203541; Package crafty. (full text, mbox, link).


Acknowledgement sent to Eric.VanBuggenhaut@AdValvas.be:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>. (full text, mbox, link).


Message #22 received at 203541@bugs.debian.org (full text, mbox, reply):

From: Eric Van Buggenhaut <ericvb@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 203541@bugs.debian.org
Subject: Re: Bug#203541: CVE assignment
Date: Sun, 3 Aug 2003 04:14:17 +0200
[Message part 1 (text/plain, inline)]
On Wed, Jul 30, 2003 at 10:53:19PM -0400, Matt Zimmerman wrote:
> This is now CAN-2003-0612.
> 

Thanks for informing.

At the moment this advisory is under review, I can't any detail from
CVE web page. My question is: How do I inform CVE that the bug has
been fixed in a new upload ?

Cheers,

-- 
Eric VAN BUGGENHAUT
ericvb@debian.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Eric Van Buggenhaut <ericvb@debian.org>:
Bug#203541; Package crafty. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Van Buggenhaut <ericvb@debian.org>. (full text, mbox, link).


Message #27 received at 203541@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Eric.VanBuggenhaut@AdValvas.be
Cc: 203541@bugs.debian.org
Subject: Re: Bug#203541: CVE assignment
Date: Sat, 2 Aug 2003 22:25:34 -0400
On Sun, Aug 03, 2003 at 04:14:17AM +0200, Eric Van Buggenhaut wrote:

> On Wed, Jul 30, 2003 at 10:53:19PM -0400, Matt Zimmerman wrote:
> > This is now CAN-2003-0612.
> 
> Thanks for informing.
> 
> At the moment this advisory is under review, I can't any detail from
> CVE web page. My question is: How do I inform CVE that the bug has
> been fixed in a new upload ?

CVE does not attempt to exhaustively catalogue which versions and packages
are affected, only to standardize a set of names for known vulnerabilities
so that they can be cross-referenced.

http://cve.mitre.org/about/

So, it is not necessary to send this kind of information to CVE.  Since I
forwarded them the original bug report, the entry for CAN-2003-0612 should
contain a reference this bug report once it is publicized.

Thanks for fixing the bug.

-- 
 - mdz



Message #28 received at 203541-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lawrence <lawrencc@debian.org>
To: 203541-close@bugs.debian.org
Subject: Bug#203541: fixed in lsb 1.3-3
Date: Fri, 08 Aug 2003 18:32:16 -0400
We believe that the bug you reported is fixed in the latest version of
lsb, which is due to be installed in the Debian FTP archive:

lsb_1.3-3.dsc
  to pool/main/l/lsb/lsb_1.3-3.dsc
lsb_1.3-3.tar.gz
  to pool/main/l/lsb/lsb_1.3-3.tar.gz
lsb_1.3-3_all.deb
  to pool/main/l/lsb/lsb_1.3-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 203541@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lawrence <lawrencc@debian.org> (supplier of updated lsb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  8 Aug 2003 18:13:08 -0400
Source: lsb
Binary: lsb
Architecture: source all
Version: 1.3-3
Distribution: unstable
Urgency: low
Maintainer: Chris Lawrence <lawrencc@debian.org>
Changed-By: Chris Lawrence <lawrencc@debian.org>
Description: 
 lsb        - Linux Standard Base 1.3 core support package
Closes: 202692 203541 203545
Changes: 
 lsb (1.3-3) unstable; urgency=low
 .
   * Depend on pax.  (Closes: #203545)
   * Add ld.so symlink for ia64.  (Closes: #203541)
   * Improved French translation.  (Closes: #202692)
Files: 
 dd70616f8a8d37c5cd9e531886af8d9a 804 misc extra lsb_1.3-3.dsc
 3d20e831191e1e47ce91e5d7dec798d3 19847 misc extra lsb_1.3-3.tar.gz
 1a07b8e9bbf305dfa3c3c29e3fe8794a 20944 misc extra lsb_1.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQEXAwUBPzQgkVxpg5e5AmZiFAJTrwQAoiCnblUutoCR/AMlt/pg8Vu4xRVnO5SQ
I8iz9G8Bm+2rHzc8EhEwTnZgRq1aQ6AZiz5erSWZyO5fGhxyw5D7/RhRukMv3zpc
TMi4BiYS/QOWlhS9PmowgaBreg1tZydAi5Tw4phDWbdUOqKFbOk9CHJxbMvjEpnT
19VzvTroVcMEALXP+2qTgWpfiObVN4MyLn34UNxETL5KeKPbehvwnDBvN8PKjf3a
QzmSQk69yIhZFgrrOzY9jR567+8BI0C2gQwzv4nWm1tSqcaPar2eGAxQluIivo83
J6dpwYpVZ61Q16/vWvhHX91AiOb53vyp7AsoLxFs6imXCEl1V+68Ic8R
=SUYV
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Chris Lawrence <lawrencc@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug closed, send any further explanations to Steve Kemp <skx@debian.org> Request was from Eric Van Buggenhaut <ericvb@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:32:41 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.