Report forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xshisen allows local user to gain GID(games);
Date: Fri, 03 Oct 2003 16:17:58 +0100
Package: xshisen
Version: 1.51-1
Severity: normal
Tags: security sid patch
About
-----
xshisen is a puzzle game for X11 similar to the Sang-hai game.
The main binary xshisen is installed setgid(games) within both
the Debian Unstable, and the Debian Testing distributions.
Problems
--------
This code suffers from two problems relating to lack of bounds
testing of user supplied data.
The first problem is the handling of the command line flag "-KCONV",
the second is the inappropriate handling of the 'XSHISENLIB'
environmental variable.
Either of these vulnerabilities can be used to gain gid(games)
priviledges.
Sample exploits are available.
Fix
---
The supplied diff should close both these holes.
Steve
--
# Debian Security Audit
http://www.steve.org.uk/
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux steve 2.4.19-686 #1 Mon Nov 18 23:59:03 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages xshisen depends on:
ii libc6 2.3.2-8 GNU C Library: Shared libraries an
ii libgcc1 1:3.3.2-0pre4 GCC support library
ii libstdc++5 1:3.3.2-0pre4 The GNU Standard C++ Library v3
ii libxaw7 4.2.1-11 X Athena widget set library
ii xlibs 4.2.1-11 X Window System client libraries
-- no debconf information
--- main.C-orig 2003-09-29 14:08:08.000000000 +0100
+++ main.C 2003-09-29 14:38:20.000000000 +0100
@@ -210,7 +210,7 @@
char buffer[100], *p;
char *(*codeconv)(const char*);
- strcpy(buffer, operation);
+ strncpy(buffer, operation,sizeof(buffer)-1);
if (strchr(buffer, '-') == NULL) {
strcat(buffer, "-" KANJICODE);
}
--- readxpm.C-orig 2003-09-29 14:37:38.000000000 +0100
+++ readxpm.C 2003-09-29 14:37:51.000000000 +0100
@@ -12,7 +12,7 @@
char buffer[1024];
for(int i=0; i<PKIND; i++) {
- sprintf(buffer, "%s/%s/%s.xpm", directory, subdir, files[i]);
+ snprintf(buffer,sizeof(buffer)-1, "%s/%s/%s.xpm", directory, subdir, files[i]);
Mp[i].ReadFile(w, buffer, i, globRes.colorCloseness);
}
}
Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
Hi,
There's been no feedback upon this report or patch
for 25 days now.
I regard it as a serious bug as it allows local users
to gain enhanced privileges.
I will perform a NMU in five days if this hasn't been
fixed by that time.
Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to "Grzegorz B. Prokopski" <gadek@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
To: Steve Kemp <skx@debian.org>, 213957@bugs.debian.org
Subject: Re: Bug#213957: NMU will occur in five days.
Date: Wed, 29 Oct 2003 10:53:27 -0500
W liście z śro, 29-10-2003, godz. 09:06, Steve Kemp pisze:
> Hi,
>
> There's been no feedback upon this report or patch
> for 25 days now.
>
> I regard it as a serious bug as it allows local users
> to gain enhanced privileges.
>
> I will perform a NMU in five days if this hasn't been
> fixed by that time.
Darn, I forgot about it completly in flood of other thigs.
NMU is welcomed though as I really am busy w/ my other
packages right now (sablevm) - on development level.
Please go on
Grzegorz B. Prokopski
--
Grzegorz B. Prokopski <gadek@debian.org>
Debian GNU/Linux http://www.debian.org
SableVM - LGPLed JVM http://www.sablevm.org
Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
On Wed, Oct 29, 2003 at 10:53:27AM -0500, Grzegorz B. Prokopski wrote:
> NMU is welcomed though as I really am busy w/ my other
> packages right now (sablevm) - on development level.
>
> Please go on
Thank you.
I've uploaded it now. I'll not file a patch as that is already
included in this bug report. The only additional change was the
inclusion of a changelog entry.
Steve
--
# Debian Security Audit Project
http://www.steve.org.uk/Debian/
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>: Bug#213957; Package xshisen.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>.
(full text, mbox, link).
This is fixed in Sarge, Etch, and unstable.
Probably time to close it.
--
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply sent to Steve Kemp <skx@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Reply sent to zakame@spunge.org (Zak B. Elep):
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: xshisen
Source-Version: 1.51-1-2
We believe that the bug you reported is fixed in the latest version of
xshisen, which is due to be installed in the Debian FTP archive:
xshisen_1.51-1-2.diff.gz
to pool/main/x/xshisen/xshisen_1.51-1-2.diff.gz
xshisen_1.51-1-2.dsc
to pool/main/x/xshisen/xshisen_1.51-1-2.dsc
xshisen_1.51-1-2_i386.deb
to pool/main/x/xshisen/xshisen_1.51-1-2_i386.deb
xshisen_1.51-1.orig.tar.gz
to pool/main/x/xshisen/xshisen_1.51-1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 213957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Zak B. Elep <zakame@spunge.org> (supplier of updated xshisen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 21 Feb 2006 22:35:26 +0800
Source: xshisen
Binary: xshisen
Architecture: source i386
Version: 1.51-1-2
Distribution: unstable
Urgency: high
Maintainer: Zak B. Elep <zakame@spunge.org>
Changed-By: Zak B. Elep <zakame@spunge.org>
Description:
xshisen - Shisen-sho puzzle game for X11
Closes: 213957289784291279291613292065346854
Changes:
xshisen (1.51-1-2) unstable; urgency=low
.
* New maintainer (as agreed with former maintainer; see
http://lists.debian.org/debian-devel/2006/02/msg00007.html)
* Fix strange source packaging problem (Closes: #291279)
* debian/control:
- Changed build system to CDBS + debhelper.
- Bump Standards-Version.
- Bump debhelper Build-Depends to (>= 5) ; updated compat too.
- Slightly touch description; added homepage too.
* debian/patches:
- Added 10_oldfixes.patch . Must sort the various hunks out soon.
Acknowledging NMUs .
- Added 11_manpage_fixes.patch to properly format C and ja manpages.
- Added 20_autotools_update.patch .
* debian/rules:
- Remove extra Japanese manpages as suggested by Nicolas François.
Remove app-defaults for these extra locales too.
* debian/menu:
- Properly quote menu entry.
.
xshisen (1.51-1-1.3) unstable; urgency=low
.
* Non-maintainer upload to do xlibs-dev transition.
* Update debian/control to not build-depend on xlibs-dev anymore. (Closes:
#346854)
* Fix Makefile.in to reflect GNU make behaviour change regarding line
continuations and whitespace.
.
xshisen (1.51-1-1.2) unstable; urgency=HIGH
.
* NMU (at maintainer's request).
* Add NO_GLOBAL_HIGHSCORE define which crudely disables the support for
a global score file.
* Remove sgid bit. Closes: #291613, #292065
* Comment out code in postinst that set up /var/games/xshisen.scores,
but for now, do not delete that file on upgrade.
* Add README.Debian.
.
xshisen (1.51-1-1.1) unstable; urgency=HIGH
.
* NMU
* Fix buffer overflow in handling of GECOS field (CAN-2005-0117)
using patch from Ulf Harnhammar. Closes: #289784
.
xshisen (1.51-1-1) unstable; urgency=high
.
* Non-maintainer upload with consent from Grzegorz.
* Fix a locally exploitable buffer overflow allowing GID(games).
(Closes: #213957)
Files:
9bb81ea94342beafadfc0554cda517aa 660 games optional xshisen_1.51-1-2.dsc
5f0ef1d7811401876de717fd6771fe47 85350 games optional xshisen_1.51-1.orig.tar.gz
6f2400fcf46f8feecb2f25e2547e2951 79053 games optional xshisen_1.51-1-2.diff.gz
51737af066b25119295ba5c8317ee375 61262 games optional xshisen_1.51-1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD+yumlAuUx1tI/64RAgQpAJ4+6/S5G1rOUtHbGbu6d3/BoGL1ewCfdXuT
oXQMYfMT/5MqMDvqwd6rfHM=
=mJ0A
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 00:08:53 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.