Debian Bug report logs - #290822
billard-gl: buffer overflows in $HOME and conf-file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>

To: submit@bugs.debian.org

Subject: billard-gl: buffer overflows in $HOME and conf-file

Date: Mon, 17 Jan 2005 00:55:54 +0100

[Message part 1 (text/plain, inline)]

Subject: billard-gl: buffer overflows in $HOME and conf-file
Package: billard-gl
Version: 1.75-6
Severity: normal
Tags: patch

Hello,

I have found two types of buffer overflows in billard-gl.

One occurs when the HOME environment variable has a value of about 80
bytes. The other occurs when the ~/.BillardGL.conf.v7 file has very long
lines.

The overflows would be exploitable security problems if billard-gl was
setuid or setgid something. It isn't, but I think this type of bug should
be fixed anyway to avoid irritating crashes.

I have attached a patch, as well as a ~/.BillardGL.conf.v7 file that
exhibits the second problem. ( To test the first problem, just do a:
HOME=`perl -e 'print "U" x 80;'` billard-gl )

The patch also changes the size of two char arrays from 40 to 512. The arrays
contain the value of $HOME plus "/.BillardGL.conf.v7", so I thought that 40
bytes might not be enough.

// Ulf Harnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages billard-gl depends on:
ii  freeglut3 [libglut3]     2.2.0-8         OpenGL Utility Toolkit
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libgcc1                  1:3.4.3-6       GCC support library
ii  libglut3                 3.7-25          the OpenGL Utility Toolkit
ii  libstdc++5               1:3.3.5-5       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxi6                   4.3.0.dfsg.1-10 X Window System Input extension li
ii  libxmu6                  4.3.0.dfsg.1-10 X Window System miscellaneous util
ii  xlibmesa-gl [libgl1]     4.3.0.dfsg.1-10 Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu [libglu1]   4.3.0.dfsg.1-10 Mesa OpenGL utility library [XFree
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu

-- no debconf information

[billard-gl.bufoflows.patch (text/x-patch, attachment)]

[.BillardGL.conf.v7 (application/octet-stream, attachment)]

Message #10 received at 290822-close@bugs.debian.org (full text, mbox, reply):

From: Thierry Reding <thierry@doppeltgemoppelt.de>

To: 290822-close@bugs.debian.org

Subject: Bug#290822: fixed in billard-gl 1.75-7

Date: Thu, 03 Feb 2005 17:18:47 -0500

Source: billard-gl
Source-Version: 1.75-7

We believe that the bug you reported is fixed in the latest version of
billard-gl, which is due to be installed in the Debian FTP archive:

billard-gl-data_1.75-7_all.deb
  to pool/main/b/billard-gl/billard-gl-data_1.75-7_all.deb
billard-gl_1.75-7.diff.gz
  to pool/main/b/billard-gl/billard-gl_1.75-7.diff.gz
billard-gl_1.75-7.dsc
  to pool/main/b/billard-gl/billard-gl_1.75-7.dsc
billard-gl_1.75-7_i386.deb
  to pool/main/b/billard-gl/billard-gl_1.75-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 290822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thierry Reding <thierry@doppeltgemoppelt.de> (supplier of updated billard-gl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 31 Jan 2005 03:57:08 +0100
Source: billard-gl
Binary: billard-gl billard-gl-data
Architecture: source i386 all
Version: 1.75-7
Distribution: unstable
Urgency: low
Maintainer: Thierry Reding <thierry@doppeltgemoppelt.de>
Changed-By: Thierry Reding <thierry@doppeltgemoppelt.de>
Description: 
 billard-gl - 3D billiards game
 billard-gl-data - 3D billards game - data files
Closes: 173197 236582 284855 290822
Changes: 
 billard-gl (1.75-7) unstable; urgency=low
 .
   * New maintainer. (Closes: #236582)
   * Added patch by Ulf Harnhammar. (Closes: #290822)
   * By default, start in windowed mode at a resolution of 640x480.
     Closes: #284855
     Closes: #173197
   * Updated the billard-gl(6) manpage and the watchfile.
   * Fixed lintian warnings about the menu file.
   * Migrated the data files from /usr/share/billard-gl to
     /usr/share/games/billard-gl (as recommended by FHS 4.7).
   * Previous patches to the upstream source extracted into
     debian/patches.
   * Data split from the binary. Added the billard-gl-data package.
   * Upstream makefile now accepts CFLAGS from debian/rules.
Files: 
 40c619b6f3437e9405c1008a501035a3 730 games optional billard-gl_1.75-7.dsc
 842b9fe7cd5ded837768a94b9cdbfc9b 6398 games optional billard-gl_1.75-7.diff.gz
 79efd32601b10d9d1050154a32887326 549202 games optional billard-gl-data_1.75-7_all.deb
 3e183f6f958880b5ee6beee50e23ff3f 80614 games optional billard-gl_1.75-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB/qbOhQui3hP+/EARAkiZAKDKrNEEjcCHjqlKlwklQ+GjSqrk3ACfW+RJ
ohBtUELCIG26Y32punGfsoY=
=QVt1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.