Debian Bug report logs - #213957
xshisen allows local user to gain GID(games);

version graph

Package: xshisen; Maintainer for xshisen is Zak B. Elep <zakame@zakame.net>; Source for xshisen is src:xshisen.

Reported by: Steve Kemp <skx@debian.org>

Date: Fri, 3 Oct 2003 15:33:01 UTC

Severity: normal

Tags: fixed, patch, security, sid

Found in version 1.51-1

Fixed in version xshisen/1.51-1-2

Done: zakame@spunge.org (Zak B. Elep)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xshisen allows local user to gain GID(games);
Date: Fri, 03 Oct 2003 16:17:58 +0100
Package: xshisen
Version: 1.51-1
Severity: normal
Tags: security sid patch



About
-----

  xshisen is a puzzle game for X11 similar to the Sang-hai game.

  The main binary xshisen is installed setgid(games) within both
 the Debian Unstable, and the Debian Testing distributions.

 
Problems
--------

  This code suffers from two problems relating to lack of bounds
 testing of user supplied data.

  The first problem is the handling of the command line flag "-KCONV",
 the second is the inappropriate handling of the 'XSHISENLIB' 
 environmental variable.

  Either of these vulnerabilities can be used to gain gid(games)
 priviledges.

  Sample exploits are available.

 
Fix
---

  The supplied diff should close both these holes.


Steve
--
# Debian Security Audit
http://www.steve.org.uk/

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux steve 2.4.19-686 #1 Mon Nov 18 23:59:03 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages xshisen depends on:
ii  libc6                      2.3.2-8       GNU C Library: Shared libraries an
ii  libgcc1                    1:3.3.2-0pre4 GCC support library
ii  libstdc++5                 1:3.3.2-0pre4 The GNU Standard C++ Library v3
ii  libxaw7                    4.2.1-11      X Athena widget set library
ii  xlibs                      4.2.1-11      X Window System client libraries

-- no debconf information



--- main.C-orig	2003-09-29 14:08:08.000000000 +0100
+++ main.C	2003-09-29 14:38:20.000000000 +0100
@@ -210,7 +210,7 @@
     char buffer[100], *p;
     char *(*codeconv)(const char*);
 
-    strcpy(buffer, operation);
+    strncpy(buffer, operation,sizeof(buffer)-1);
     if (strchr(buffer, '-') == NULL) {
         strcat(buffer, "-" KANJICODE);
     }
--- readxpm.C-orig	2003-09-29 14:37:38.000000000 +0100
+++ readxpm.C	2003-09-29 14:37:51.000000000 +0100
@@ -12,7 +12,7 @@
   char buffer[1024];
 
   for(int i=0; i<PKIND; i++) {
-    sprintf(buffer, "%s/%s/%s.xpm", directory, subdir, files[i]);
+    snprintf(buffer,sizeof(buffer)-1, "%s/%s/%s.xpm", directory, subdir, files[i]);
     Mp[i].ReadFile(w, buffer, i, globRes.colorCloseness);
   }
 }




Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #10 received at 213957@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 213957@bugs.debian.org
Cc: Grzegorz Prokopski <gadek@debian.org>
Subject: NMU will occur in five days.
Date: Wed, 29 Oct 2003 14:06:20 +0000
[Message part 1 (text/plain, inline)]
Hi,

  There's been no feedback upon this report or patch
 for 25 days now.

  I regard it as a serious bug as it allows local users
 to gain enhanced privileges.

  I will perform a NMU in five days if this hasn't been
 fixed by that time.

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to "Grzegorz B. Prokopski" <gadek@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #15 received at 213957@bugs.debian.org (full text, mbox):

From: "Grzegorz B. Prokopski" <gadek@debian.org>
To: Steve Kemp <skx@debian.org>, 213957@bugs.debian.org
Subject: Re: Bug#213957: NMU will occur in five days.
Date: Wed, 29 Oct 2003 10:53:27 -0500
W liście z śro, 29-10-2003, godz. 09:06, Steve Kemp pisze: 
> Hi,
> 
>   There's been no feedback upon this report or patch
>  for 25 days now.
> 
>   I regard it as a serious bug as it allows local users
>  to gain enhanced privileges.
> 
>   I will perform a NMU in five days if this hasn't been
>  fixed by that time.

Darn, I forgot about it completly in flood of other thigs.

NMU is welcomed though as I really am busy w/ my other
packages right now (sablevm) - on development level.

Please go on

			Grzegorz B. Prokopski

-- 
Grzegorz B. Prokopski <gadek@debian.org>
Debian GNU/Linux      http://www.debian.org
SableVM - LGPLed JVM  http://www.sablevm.org




Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #20 received at 213957@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: "Grzegorz B. Prokopski" <gadek@debian.org>
Cc: 213957@bugs.debian.org
Subject: Re: Bug#213957: NMU will occur in five days.
Date: Wed, 29 Oct 2003 17:03:08 +0000
[Message part 1 (text/plain, inline)]
On Wed, Oct 29, 2003 at 10:53:27AM -0500, Grzegorz B. Prokopski wrote:

> NMU is welcomed though as I really am busy w/ my other
> packages right now (sablevm) - on development level.
> 
> Please go on

  Thank you.

  I've uploaded it now.  I'll not file a patch as that is already
 included in this bug report.  The only additional change was the
 inclusion of a changelog entry.

Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
[Message part 2 (application/pgp-signature, inline)]

Tags added: fixed Request was from Steve Kemp <skx@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #27 received at 213957@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 213957@bugs.debian.org
Subject: CVE id
Date: Wed, 19 Jan 2005 09:24:40 +0100
======================================================
Candidate: CAN-2003-1053
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1053
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20050119
Category: SF
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213957
Reference: CONFIRM:http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html
Reference: BID:8770
Reference: URL:http://www.securityfocus.com/bid/8770
Reference: BID:8776
Reference: URL:http://www.securityfocus.com/bid/8776
Reference: SECUNIA:9950
Reference: URL:http://secunia.com/advisories/9950
Reference: XF:xshisen-kconv-bo(13358)
Reference: URL:http://xforce.iss.net/xforce/xfdb/13358
Reference: XF:xshisen-xshisenlib-bo(13359)
Reference: URL:http://xforce.iss.net/xforce/xfdb/13359

Multiple buffer overflows in XShisen allow attackers to execute
arbitrary code via a long (1) -KCONV command line option or (2)
XSHISENLIB environment variable.


Please mention this in the changelog in the proper change entry.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#213957; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #32 received at 213957@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 213957-done@bugs.debian.org
Cc: 213957@bugs.debian.org
Subject: Fixed.
Date: Sat, 20 Aug 2005 22:42:43 +0100
  This is fixed in Sarge, Etch, and unstable.

  Probably time to close it.

-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit




Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to zakame@spunge.org (Zak B. Elep):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 213957-close@bugs.debian.org (full text, mbox):

From: zakame@spunge.org (Zak B. Elep)
To: 213957-close@bugs.debian.org
Subject: Bug#213957: fixed in xshisen 1.51-1-2
Date: Tue, 21 Feb 2006 07:17:10 -0800
Source: xshisen
Source-Version: 1.51-1-2

We believe that the bug you reported is fixed in the latest version of
xshisen, which is due to be installed in the Debian FTP archive:

xshisen_1.51-1-2.diff.gz
  to pool/main/x/xshisen/xshisen_1.51-1-2.diff.gz
xshisen_1.51-1-2.dsc
  to pool/main/x/xshisen/xshisen_1.51-1-2.dsc
xshisen_1.51-1-2_i386.deb
  to pool/main/x/xshisen/xshisen_1.51-1-2_i386.deb
xshisen_1.51-1.orig.tar.gz
  to pool/main/x/xshisen/xshisen_1.51-1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 213957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zak B. Elep <zakame@spunge.org> (supplier of updated xshisen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Feb 2006 22:35:26 +0800
Source: xshisen
Binary: xshisen
Architecture: source i386
Version: 1.51-1-2
Distribution: unstable
Urgency: high
Maintainer: Zak B. Elep <zakame@spunge.org>
Changed-By: Zak B. Elep <zakame@spunge.org>
Description: 
 xshisen    - Shisen-sho puzzle game for X11
Closes: 213957 289784 291279 291613 292065 346854
Changes: 
 xshisen (1.51-1-2) unstable; urgency=low
 .
   * New maintainer (as agreed with former maintainer; see
     http://lists.debian.org/debian-devel/2006/02/msg00007.html)
   * Fix strange source packaging problem (Closes: #291279)
   * debian/control:
     - Changed build system to CDBS + debhelper.
     - Bump Standards-Version.
     - Bump debhelper Build-Depends to (>= 5) ; updated compat too.
     - Slightly touch description; added homepage too.
   * debian/patches:
     - Added 10_oldfixes.patch .  Must sort the various hunks out soon.
       Acknowledging NMUs .
     - Added 11_manpage_fixes.patch to properly format C and ja manpages.
     - Added 20_autotools_update.patch .
   * debian/rules:
     - Remove extra Japanese manpages as suggested by Nicolas François.
       Remove app-defaults for these extra locales too.
   * debian/menu:
     - Properly quote menu entry.
 .
 xshisen (1.51-1-1.3) unstable; urgency=low
 .
   * Non-maintainer upload to do xlibs-dev transition.
   * Update debian/control to not build-depend on xlibs-dev anymore. (Closes:
     #346854)
   * Fix Makefile.in to reflect GNU make behaviour change regarding line
     continuations and whitespace.
 .
 xshisen (1.51-1-1.2) unstable; urgency=HIGH
 .
   * NMU (at maintainer's request).
   * Add NO_GLOBAL_HIGHSCORE define which crudely disables the support for
     a global score file.
   * Remove sgid bit. Closes: #291613, #292065
   * Comment out code in postinst that set up /var/games/xshisen.scores,
     but for now, do not delete that file on upgrade.
   * Add README.Debian.
 .
 xshisen (1.51-1-1.1) unstable; urgency=HIGH
 .
   * NMU
   * Fix buffer overflow in handling of GECOS field (CAN-2005-0117)
     using patch from Ulf Harnhammar. Closes: #289784
 .
 xshisen (1.51-1-1) unstable; urgency=high
 .
   * Non-maintainer upload with consent from Grzegorz.
   * Fix a locally exploitable buffer overflow allowing GID(games).
     (Closes: #213957)
Files: 
 9bb81ea94342beafadfc0554cda517aa 660 games optional xshisen_1.51-1-2.dsc
 5f0ef1d7811401876de717fd6771fe47 85350 games optional xshisen_1.51-1.orig.tar.gz
 6f2400fcf46f8feecb2f25e2547e2951 79053 games optional xshisen_1.51-1-2.diff.gz
 51737af066b25119295ba5c8317ee375 61262 games optional xshisen_1.51-1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+yumlAuUx1tI/64RAgQpAJ4+6/S5G1rOUtHbGbu6d3/BoGL1ewCfdXuT
oXQMYfMT/5MqMDvqwd6rfHM=
=mJ0A
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 00:08:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 01:37:10 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.