Debian Bug report logs - #289784
xshisen: buffer overflow when handling GECOS field

version graph

Package: xshisen; Maintainer for xshisen is Zak B. Elep <zakame@zakame.net>; Source for xshisen is src:xshisen.

Reported by: "Ulf Harnhammar" <metaur@operamail.com>

Date: Tue, 11 Jan 2005 00:33:02 UTC

Severity: important

Tags: fixed, patch, security

Found in version 1.51-1-1

Fixed in version xshisen/1.51-1-2

Done: zakame@spunge.org (Zak B. Elep)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#289784; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
New Bug report received and forwarded. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: submit@bugs.debian.org
Cc: masaoki@techfirm.co.jp, naddy@mips.inka.de
Subject: xshisen: buffer overflow when handling GECOS field
Date: Tue, 11 Jan 2005 01:18:00 +0100
[Message part 1 (text/plain, inline)]
Subject: xshisen: buffer overflow when handling GECOS field
Package: xshisen
Version: 1.51-1-1
Severity: important
Tags: security patch

Hello,

I have found a buffer overflow in xshisen. It copies data from a user's GECOS field in
/etc/passwd to a char array. In the rather unlikely event where that GECOS field is
about 160 bytes long, the char array is overflowed which can be used to get a shell with
gid games. I have attached a patch that fixes this problem.

Here is a line from my /etc/passwd file (after wrapping it) that causes this bug:

metaur:x:1000:1000:UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUU,,,:/home/metaur:/bin/bash

I have Cc'ed the upstream developer and Naddy who's involved with FreeBSD's Ports
Collection. They might also want to check out some earlier buffer overflows in xshisen
that Steve Kemp found in 2003:  http://bugs.debian.org/213957

// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages xshisen depends on:
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libgcc1                  1:3.4.3-6       GCC support library
ii  libstdc++5               1:3.3.5-5       The GNU Standard C++ Library v3
ii  libxaw7                  4.3.0.dfsg.1-10 X Athena widget set library
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu

-- no debconf information


-- 
_____________________________________________________________
Web-based SMS services available at http://www.operamail.com.
From your mailbox to local or overseas cell phones.

Powered by Outblaze
[xshisen.bufoflow.patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#289784; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #10 received at 289784@bugs.debian.org (full text, mbox):

From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
To: Steve Kemp <steve@shellcode.org>
Cc: debian-audit@shellcode.org, 289784@bugs.debian.org
Subject: Re: [Debian-audit] xshisen (again)
Date: Wed, 12 Jan 2005 17:29:12 +0100
Quoting Steve Kemp <steve@shellcode.org>:

> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784
> 
>   That's an .. unlikely .. bug to occur in practise.  I guess only
>  root can modify the GECOS field.

No, you can use the chfn command to change all data in your own GECOS field
except your real name. The command checks the length of all data, so you
probably can't use it for this attack (it might be possible to enter the
maximum amount in each field and make it reach 160 bytes that way). There are
other systems that will let you edit your GECOS field, like webmin (I think)
and more.

It's not a really serious bug, but IMHO worth fixing.

-- 
Ulf Harnhammar
http://www.advogato.org/person/metaur/





Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#289784; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to "Grzegorz B. Prokopski" <gadek@debian.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #15 received at 289784@bugs.debian.org (full text, mbox):

From: "Grzegorz B. Prokopski" <gadek@debian.org>
To: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>, 289784@bugs.debian.org
Cc: Steve Kemp <steve@shellcode.org>, debian-audit@shellcode.org
Subject: Re: Bug#289784: [Debian-audit] xshisen (again)
Date: Wed, 12 Jan 2005 14:00:46 -0500
On Wed, 2005-01-12 at 17:29 +0100, Ulf Härnhammar wrote:
> Quoting Steve Kemp <steve@shellcode.org>:
> 
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784
> > 
> >   That's an .. unlikely .. bug to occur in practise.  I guess only
> >  root can modify the GECOS field.
> 
> No, you can use the chfn command to change all data in your own GECOS field
> except your real name. The command checks the length of all data, so you
> probably can't use it for this attack (it might be possible to enter the
> maximum amount in each field and make it reach 160 bytes that way). There are
> other systems that will let you edit your GECOS field, like webmin (I think)
> and more.
> 
> It's not a really serious bug, but IMHO worth fixing.

I do not have my new GPG key signed yet (sigh) so I am in no position to
perform an upload.  Could somebody please apply the fix and NMU?

Thanks,

				Grzegorz B. Prokopski






Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#289784; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <steve@shellcode.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #20 received at 289784@bugs.debian.org (full text, mbox):

From: Steve Kemp <steve@shellcode.org>
To: "Grzegorz B. Prokopski" <gadek@debian.org>
Cc: Ulf H?rnhammar <Ulf.Harnhammar.9485@student.uu.se>, 289784@bugs.debian.org, Steve Kemp <steve@shellcode.org>, debian-audit@shellcode.org
Subject: Re: Bug#289784: [Debian-audit] xshisen (again)
Date: Wed, 12 Jan 2005 19:02:20 +0000
On Wed, Jan 12, 2005 at 02:00:46PM -0500, Grzegorz B. Prokopski wrote:

> > >   That's an .. unlikely .. bug to occur in practise.  I guess only
> > >  root can modify the GECOS field.
> > 
> > No, you can use the chfn command to change all data in your own GECOS field
> > except your real name. The command checks the length of all data, so you
> > probably can't use it for this attack (it might be possible to enter the
> > maximum amount in each field and make it reach 160 bytes that way). There are
> > other systems that will let you edit your GECOS field, like webmin (I think)
> > and more.
> > 
> > It's not a really serious bug, but IMHO worth fixing.
> 
> I do not have my new GPG key signed yet (sigh) so I am in no position to
> perform an upload.  Could somebody please apply the fix and NMU?

  I will do so tomorrow if nobody else beats me to it.

Steve
--



Information forwarded to debian-bugs-dist@lists.debian.org, Grzegorz Prokopski (Debian Developer) <gadek@debian.org>:
Bug#289784; Package xshisen. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Grzegorz Prokopski (Debian Developer) <gadek@debian.org>. Full text and rfc822 format available.

Message #25 received at 289784@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 289784@bugs.debian.org
Subject: CAN-2005-0117 assigned to xshisen GECOS overflow
Date: Wed, 19 Jan 2005 09:12:54 +0100
======================================================
Candidate: CAN-2005-0117
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0117
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784
Reference: CONFIRM:http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html

Buffer overflow in xshisen before 1.36 allows local users to execute
arbitrary code via a long GECOS field.

Please use this id in the changelog when you fix the problem.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to zakame@spunge.org (Zak B. Elep):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Ulf Harnhammar" <metaur@operamail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 289784-close@bugs.debian.org (full text, mbox):

From: zakame@spunge.org (Zak B. Elep)
To: 289784-close@bugs.debian.org
Subject: Bug#289784: fixed in xshisen 1.51-1-2
Date: Tue, 21 Feb 2006 07:17:10 -0800
Source: xshisen
Source-Version: 1.51-1-2

We believe that the bug you reported is fixed in the latest version of
xshisen, which is due to be installed in the Debian FTP archive:

xshisen_1.51-1-2.diff.gz
  to pool/main/x/xshisen/xshisen_1.51-1-2.diff.gz
xshisen_1.51-1-2.dsc
  to pool/main/x/xshisen/xshisen_1.51-1-2.dsc
xshisen_1.51-1-2_i386.deb
  to pool/main/x/xshisen/xshisen_1.51-1-2_i386.deb
xshisen_1.51-1.orig.tar.gz
  to pool/main/x/xshisen/xshisen_1.51-1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289784@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zak B. Elep <zakame@spunge.org> (supplier of updated xshisen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Feb 2006 22:35:26 +0800
Source: xshisen
Binary: xshisen
Architecture: source i386
Version: 1.51-1-2
Distribution: unstable
Urgency: high
Maintainer: Zak B. Elep <zakame@spunge.org>
Changed-By: Zak B. Elep <zakame@spunge.org>
Description: 
 xshisen    - Shisen-sho puzzle game for X11
Closes: 213957 289784 291279 291613 292065 346854
Changes: 
 xshisen (1.51-1-2) unstable; urgency=low
 .
   * New maintainer (as agreed with former maintainer; see
     http://lists.debian.org/debian-devel/2006/02/msg00007.html)
   * Fix strange source packaging problem (Closes: #291279)
   * debian/control:
     - Changed build system to CDBS + debhelper.
     - Bump Standards-Version.
     - Bump debhelper Build-Depends to (>= 5) ; updated compat too.
     - Slightly touch description; added homepage too.
   * debian/patches:
     - Added 10_oldfixes.patch .  Must sort the various hunks out soon.
       Acknowledging NMUs .
     - Added 11_manpage_fixes.patch to properly format C and ja manpages.
     - Added 20_autotools_update.patch .
   * debian/rules:
     - Remove extra Japanese manpages as suggested by Nicolas François.
       Remove app-defaults for these extra locales too.
   * debian/menu:
     - Properly quote menu entry.
 .
 xshisen (1.51-1-1.3) unstable; urgency=low
 .
   * Non-maintainer upload to do xlibs-dev transition.
   * Update debian/control to not build-depend on xlibs-dev anymore. (Closes:
     #346854)
   * Fix Makefile.in to reflect GNU make behaviour change regarding line
     continuations and whitespace.
 .
 xshisen (1.51-1-1.2) unstable; urgency=HIGH
 .
   * NMU (at maintainer's request).
   * Add NO_GLOBAL_HIGHSCORE define which crudely disables the support for
     a global score file.
   * Remove sgid bit. Closes: #291613, #292065
   * Comment out code in postinst that set up /var/games/xshisen.scores,
     but for now, do not delete that file on upgrade.
   * Add README.Debian.
 .
 xshisen (1.51-1-1.1) unstable; urgency=HIGH
 .
   * NMU
   * Fix buffer overflow in handling of GECOS field (CAN-2005-0117)
     using patch from Ulf Harnhammar. Closes: #289784
 .
 xshisen (1.51-1-1) unstable; urgency=high
 .
   * Non-maintainer upload with consent from Grzegorz.
   * Fix a locally exploitable buffer overflow allowing GID(games).
     (Closes: #213957)
Files: 
 9bb81ea94342beafadfc0554cda517aa 660 games optional xshisen_1.51-1-2.dsc
 5f0ef1d7811401876de717fd6771fe47 85350 games optional xshisen_1.51-1.orig.tar.gz
 6f2400fcf46f8feecb2f25e2547e2951 79053 games optional xshisen_1.51-1-2.diff.gz
 51737af066b25119295ba5c8317ee375 61262 games optional xshisen_1.51-1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+yumlAuUx1tI/64RAgQpAJ4+6/S5G1rOUtHbGbu6d3/BoGL1ewCfdXuT
oXQMYfMT/5MqMDvqwd6rfHM=
=mJ0A
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 20:31:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:45:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.