Debian Bug report logs - #203707
atari800 allows local root compromise.

version graph

Package: atari800; Maintainer for atari800 is Antonin Kral <A.Kral@sh.cvut.cz>; Source for atari800 is src:atari800.

Reported by: Steve Kemp <skx@debian.org>

Date: Thu, 31 Jul 2003 23:18:04 UTC

Severity: critical

Tags: patch, security, upstream

Found in version 1.3.0-2

Fixed in version atari800/1.3.1-2

Done: Dale Scheetz (Dwarf #1) <dwarf@polaris.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: atari800 allows local root compromise.
Date: Fri, 01 Aug 2003 00:12:03 +0100
Package: atari800
Version: 1.3.0-2
Severity: grave
Tags: security upstream patch
Justification: user security hole



Intro
-----

   atari800 is an emulator package for emulating several Atari machines,
 it installs several binaries including the following:

skx@hell:~$ ls /usr/bin/atar* -l
-rwxr-xr-x    1 root     root       253160 May 14 00:28 /usr/bin/atari800
-rwxr-xr-x    1 root     root       246824 May 14 00:28 /usr/bin/atari800.curses
-rwsr-xr-x    1 root     root       243880 May 14 00:28 /usr/bin/atari800.svgalib
-rwxr-xr-x    1 root     root       255240 May 14 00:28 /usr/bin/atari800.x11

   atari800.svgalib is setuid root on both Debian stable, and unstable.

  (All these files make use of common command line handling, amongst
 other things).



Problems
--------

  The command line processing of atari800 doesn't perform any bounds
 checking when handling certain command line flags.

  The following is a typical example:

      atari.c:394
		else if (strcmp(argv[i], "-osa_rom") == 0)
			strcpy(atari_osa_filename, argv[++i]);

  No testing to make sure an argument exists, or that the argument
 is overflowing the supplied buffer.
 

Exploit
-------

  An exploit was trickier than expected, but possible to write.


Fix
---

  The supplied context diff should close these issues, and add errors
 for when missing arguments are detected.

  However in a piece of software this size it's hard to be sure I've
 spotted everything.


Steve
---
# Debian Security Audit Project
http://www.steve.org.uk/Debian/

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hell.my.flat 2.4.21 #1 Fri Jun 13 21:42:54 BST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages atari800 depends on:
ii  libc6                     2.3.1-17       GNU C Library: Shared libraries an
ii  libncurses5               5.3.20030719-1 Shared libraries for terminal hand
ii  libsdl1.2debian           1.2.5-8        Simple DirectMedia Layer
ii  svgalibg1                 1:1.4.3-13     Console SVGA display libraries
ii  xlibs                     4.2.1-9        X Window System client libraries
ii  zlib1g                    1:1.1.4-14     compression library - runtime

-- no debconf information


--- atari.c-orig	2003-02-10 11:22:32.000000000 +0000
+++ atari.c	2003-07-31 23:58:35.000000000 +0100
@@ -389,16 +389,57 @@
 			tv_mode = TV_PAL;
 		else if (strcmp(argv[i], "-ntsc") == 0)
 			tv_mode = TV_NTSC;
-		else if (strcmp(argv[i], "-osa_rom") == 0)
-			strcpy(atari_osa_filename, argv[++i]);
-		else if (strcmp(argv[i], "-osb_rom") == 0)
-			strcpy(atari_osb_filename, argv[++i]);
-		else if (strcmp(argv[i], "-xlxe_rom") == 0)
-			strcpy(atari_xlxe_filename, argv[++i]);
-		else if (strcmp(argv[i], "-5200_rom") == 0)
-			strcpy(atari_5200_filename, argv[++i]);
-		else if (strcmp(argv[i], "-basic_rom") == 0)
-			strcpy(atari_basic_filename, argv[++i]);
+		else if (strcmp(argv[i], "-osa_rom") == 0) {
+ 		        if ( (i+1) < *argc ) {
+			          memset(atari_osa_filename,'\0',sizeof(atari_osa_filename));
+			          strncpy(atari_osa_filename, argv[++i], sizeof(atari_osa_filename)-1);
+			}
+			else {
+			          printf("Missing argument for '-osa_rom'\n");
+				  return( 1 );
+			}
+
+		}
+		else if (strcmp(argv[i], "-osb_rom") == 0) {
+ 		        if ( (i+1) < *argc ) {
+			          memset(atari_osb_filename,'\0',sizeof(atari_osb_filename));
+			          strncpy(atari_osb_filename, argv[++i],sizeof(atari_osb_filename)-1);
+			}
+			else {
+			          printf("Missing argument for '-osb_rom'\n");
+				  return( 1 );
+			}
+		}
+		else if (strcmp(argv[i], "-xlxe_rom") == 0) {
+ 		        if ( (i+1) < *argc ) {
+			          memset(atari_xlxe_filename,'\0',sizeof(atari_xlxe_filename));
+			          strncpy(atari_xlxe_filename, argv[++i], sizeof(atari_xlxe_filename)-1);
+			}
+			else {
+			          printf("Missing argument for '-xlxe_rom'\n");
+				  return( 1 );
+			}
+		}
+		else if (strcmp(argv[i], "-5200_rom") == 0) {
+ 		        if ( (i+1) < *argc ) {
+			          memset(atari_5200_filename,'\0',sizeof(atari_5200_filename));
+			          strncpy(atari_5200_filename, argv[++i], sizeof(atari_5200_filename)-1);
+			}
+			else {
+			          printf("Missing argument for '-5200_rom'\n");
+				  return( 1 );
+			}
+		}
+		else if (strcmp(argv[i], "-basic_rom") == 0) {
+ 		        if ( (i+1) < *argc ) {
+			          memset(atari_basic_filename,'\0',sizeof(atari_basic_filename));
+			          strncpy(atari_basic_filename, argv[++i], sizeof(atari_basic_filename)-1);
+			}
+			else {
+			          printf("Missing argument for '-basic_rom'\n");
+				  return( 1 );
+			}
+		}
 		else if (strcmp(argv[i], "-cart") == 0) {
 			rom_filename = argv[++i];
 		}




Severity set to `critical'. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #12 received at 203707@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 203707@bugs.debian.org
Subject: CVE assignment
Date: Thu, 31 Jul 2003 20:20:25 -0400
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0630 to this issue.  Please reference that name
in the changelog.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #17 received at 203707@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Steve Kemp <skx@debian.org>, 203707@bugs.debian.org
Subject: Re: Bug#203707: atari800 allows local root compromise.
Date: Thu, 31 Jul 2003 22:53:27 -0400
[Message part 1 (text/plain, inline)]
Steve Kemp wrote:
>   The supplied context diff should close these issues, and add errors
>  for when missing arguments are detected.
> 
>   However in a piece of software this size it's hard to be sure I've
>  spotted everything.

Did you check the rom reading code for security issues? How about the
cpu emulator?

I think the svgalib binary should be shipped not setuid. It will be no
great inconvenience for all three people who will ever run it again to
set up sudo to let them run it as root.

-- 
see shy jo, past maintainer of this package
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #22 received at 203707@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Joey Hess <joeyh@debian.org>
Cc: 203707@bugs.debian.org
Subject: Re: Bug#203707: atari800 allows local root compromise.
Date: Fri, 1 Aug 2003 15:24:06 +0100
[Message part 1 (text/plain, inline)]
On Thu, Jul 31, 2003 at 10:53:27PM -0400, Joey Hess wrote:

> >   However in a piece of software this size it's hard to be sure I've
> >  spotted everything.
> 
> Did you check the rom reading code for security issues? How about the
> cpu emulator?

  I'll assume you're joking there :)
  
> I think the svgalib binary should be shipped not setuid. It will be no
> great inconvenience for all three people who will ever run it again to
> set up sudo to let them run it as root.

  I agree with that suggestion, although looking at the results of the
 Debian Popularity Contest it looks like there are a lot more than three
 users!
 
Steve
--
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Dale Scheetz <dwarf@polaris.net>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #27 received at 203707@bugs.debian.org (full text, mbox):

From: Dale Scheetz <dwarf@polaris.net>
To: Joey Hess <joeyh@debian.org>, 203707@bugs.debian.org
Cc: Steve Kemp <skx@debian.org>
Subject: Re: Bug#203707: atari800 allows local root compromise.
Date: Tue, 5 Aug 2003 18:00:13 -0400 (EDT)
On Thu, 31 Jul 2003, Joey Hess wrote:

> Steve Kemp wrote:
> >   The supplied context diff should close these issues, and add errors
> >  for when missing arguments are detected.
> > 
> >   However in a piece of software this size it's hard to be sure I've
> >  spotted everything.
> 
> Did you check the rom reading code for security issues? How about the
> cpu emulator?
> 
> I think the svgalib binary should be shipped not setuid. It will be no
> great inconvenience for all three people who will ever run it again to
> set up sudo to let them run it as root.

I could do that (remove suid) but the plan is to remove the svgalib binary
all together. I've been waiting for the next upstream release (fixing the
out-of-date config files) but could put something together this weekend.

However I just saw an upload, so maybe some kind fellow has resolved this
for the moment?

Thanks guys,

Dwarf




Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #32 received at 203707@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 203707@bugs.debian.org
Subject: Still here?
Date: Mon, 15 Sep 2003 01:17:18 -0400
Does this bug still exist or not?  The changelog seems to indicate that it
has been fixed, but it's still open and severity: critical.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #37 received at 203707@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 203707@bugs.debian.org
Subject: This bug is closed.
Date: Mon, 15 Sep 2003 12:19:27 +0100
> Does this bug still exist or not?  The changelog seems to indicate that
> it has been fixed, but it's still open and severity: critical.

  This bug has been fixed in unstable, and the unstable release was
 fixed wit hDSA-359-1.

Steve
---
www.steve.org.uk



Information forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
Bug#203707; Package atari800. Full text and rfc822 format available.

Acknowledgement sent to "Network Email Storage Service" <mailrobot@america.com>:
Extra info received and forwarded to list. Copy sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>. Full text and rfc822 format available.

Message #42 received at 203707@bugs.debian.org (full text, mbox):

From: "Network Email Storage Service" <mailrobot@america.com>
To: "Net Receiver" <recipient@yourserver.net>
Subject: Message
Date: Wed, 24 Sep 2003 04:19:02 -0500

Reply sent to Dale Scheetz (Dwarf #1) <dwarf@polaris.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 203707-close@bugs.debian.org (full text, mbox):

From: Dale Scheetz (Dwarf #1) <dwarf@polaris.net>
To: 203707-close@bugs.debian.org
Subject: Bug#203707: fixed in atari800 1.3.1-2
Date: Thu, 09 Oct 2003 18:32:10 -0400
Source: atari800
Source-Version: 1.3.1-2

We believe that the bug you reported is fixed in the latest version of
atari800, which is due to be installed in the Debian FTP archive:

atari800_1.3.1-2.diff.gz
  to pool/contrib/a/atari800/atari800_1.3.1-2.diff.gz
atari800_1.3.1-2.dsc
  to pool/contrib/a/atari800/atari800_1.3.1-2.dsc
atari800_1.3.1-2_i386.deb
  to pool/contrib/a/atari800/atari800_1.3.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 203707@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dale Scheetz (Dwarf #1) <dwarf@polaris.net> (supplier of updated atari800 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  8 Oct 2003 17:26:37 -0400
Source: atari800
Binary: atari800
Architecture: source i386
Version: 1.3.1-2
Distribution: unstable
Urgency: low
Maintainer: Dale Scheetz (Dwarf #1) <dwarf@polaris.net>
Changed-By: Dale Scheetz (Dwarf #1) <dwarf@polaris.net>
Description: 
 atari800   - Atari emulator for X/curses/SDL
Closes: 203707 209203
Changes: 
 atari800 (1.3.1-2) unstable; urgency=low
 .
   * Fixed broken syntax in last changelog entry. Closes: #203707
   * Changed dependency from xlib6g-dev to xlibs-dev. Closes: #209203
   * Repaired bad patch. Now deliver upstream changelog and NEWS
   * Updated /etc/atari800.cfg example in /usr/share/doc/atari800
   *                provided by upstream author.
   * Fixed several Lintian Warnings/Errors:
   *     Removed /usr/share/doc/atari800/INSTALL.gz
   *     Removed postinst usr-doc-link code
   *     Added copyright reference to /usr/share/common-licenses
Files: 
 08bd548f8895b5dfb7d18186efaf7c6b 675 contrib/otherosfs optional atari800_1.3.1-2.dsc
 9c1e0b6adf63beb7238054db6572d819 21038 contrib/otherosfs optional atari800_1.3.1-2.diff.gz
 c74fbb0425ca15360bfbd459e5d4e515 339548 contrib/otherosfs optional atari800_1.3.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/hdiNGpxLjvSYSuARAipOAKCup6VRBnRNUtrzbvRJG34ENPGXZQCfRqFz
iKXYspQKZUYE22iMR+ytnek=
=mIWY
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:14:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.