Debian Bug report logs - #360989
Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.

version graph

Package: bsdgames; Maintainer for bsdgames is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for bsdgames is src:bsdgames (PTS, buildd, popcon).

Reported by: "Anibal L. Sacco" <Anibal.Sacco@gmail.com>

Date: Wed, 5 Apr 2006 20:48:04 UTC

Severity: normal

Tags: moreinfo, security

Found in version bsdgames/2.17-1

Fixed in version bsdgames/2.17-7

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#360989; Package bsdgames. (full text, mbox, link).


Acknowledgement sent to "Anibal L. Sacco" <Anibal.Sacco@gmail.com>:
New Bug report received and forwarded. Copy sent to Joey Hess <joeyh@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Anibal L. Sacco" <Anibal.Sacco@gmail.com>
To: submit@bugs.debian.org
Subject: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.
Date: Wed, 05 Apr 2006 17:40:36 -0300
Package: BSDgames
Version: 2.17-1



The vulnerabilities are caused due to boundary errors when reading
the player's name in pl_main.c

code segment:
printf("Your name, Captain? ");
		fflush(stdout);
		fgets(captain, sizeof captain, stdin);
		if (!*captain)
			strcpy(captain, "no name");
		else
		    captain[strlen(captain) - 1] = '\0';
	}

Being captain initialized as: char captain[80].

There is some similar issues in Tetris, and Hack too.

This can be exploited by users to gain gid=games an then to cause a stack-based buffer overflow when
other users run the game, by modifying entries in a game file like scores in Tetris or Hack.

Successful exploitation allows the execution of arbitrary code with
the privileges of other users.

Well... english isnt my first language and i dont know if the bugs can be reported in spanish so i hope to be understandeable


Anibal L. Sacco




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#360989; Package bsdgames. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #10 received at 360989@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: "Anibal L. Sacco" <Anibal.Sacco@gmail.com>, 360989@bugs.debian.org
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.
Date: Thu, 6 Apr 2006 18:58:47 -0400
[Message part 1 (text/plain, inline)]
Anibal L. Sacco wrote:
> The vulnerabilities are caused due to boundary errors when reading
> the player's name in pl_main.c
> 
> code segment:
> printf("Your name, Captain? ");
> 		fflush(stdout);
> 		fgets(captain, sizeof captain, stdin);
> 		if (!*captain)
> 			strcpy(captain, "no name");
> 		else
> 		    captain[strlen(captain) - 1] = '\0';
> 	}
> 
> Being captain initialized as: char captain[80].

sizeof(captain) is 80 so fgets reads in at most 79 characters. The trailing
NULL will be added as the 80th character which still seems to be within
the array size to me.

> There is some similar issues in Tetris, and Hack too.

Well feel free to provide the details of those issues.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Tags added: moreinfo Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#360989; Package bsdgames. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #17 received at 360989@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: 360989@bugs.debian.org
Subject: FWD: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.
Date: Thu, 6 Apr 2006 19:48:10 -0400
[Message part 1 (text/plain, inline)]
----- Forwarded message from "Anibal L. Sacco" <Anibal.Sacco@gmail.com> -----

From: "Anibal L. Sacco" <Anibal.Sacco@gmail.com>
Date: Thu, 06 Apr 2006 20:18:44 -0300
To: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and
 privileges escalation vulnerability.
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Joey Hess wrote:

>Anibal L. Sacco wrote:
> 
>
>>The vulnerabilities are caused due to boundary errors when reading
>>the player's name in pl_main.c
>>
>>code segment:
>>printf("Your name, Captain? ");
>>		fflush(stdout);
>>		fgets(captain, sizeof captain, stdin);
>>		if (!*captain)
>>			strcpy(captain, "no name");
>>		else
>>		    captain[strlen(captain) - 1] = '\0';
>>	}
>>
>>Being captain initialized as: char captain[80].
>>   
>>
>
>sizeof(captain) is 80 so fgets reads in at most 79 characters. The trailing
>NULL will be added as the 80th character which still seems to be within
>the array size to me.
>
> 
>
>>There is some similar issues in Tetris, and Hack too.
>>   
>>
>
>Well feel free to provide the details of those issues.
>
> 
>
My mystake.. this is the vulnerable code.
char buf[10];
printf("\nInitial broadside %s (grape, chain, round, double): ", n ? 
"right" : "left");
fflush(stdout);
scanf("%s", buf);


Cheers


----- End forwarded message -----

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Tags added: security Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Anibal L. Sacco" <Anibal.Sacco@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #24 received at 360989-close@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: 360989-close@bugs.debian.org
Subject: Bug#360989: fixed in bsdgames 2.17-7
Date: Thu, 06 Apr 2006 17:32:07 -0700
Source: bsdgames
Source-Version: 2.17-7

We believe that the bug you reported is fixed in the latest version of
bsdgames, which is due to be installed in the Debian FTP archive:

bsdgames_2.17-7.diff.gz
  to pool/main/b/bsdgames/bsdgames_2.17-7.diff.gz
bsdgames_2.17-7.dsc
  to pool/main/b/bsdgames/bsdgames_2.17-7.dsc
bsdgames_2.17-7_i386.deb
  to pool/main/b/bsdgames/bsdgames_2.17-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 360989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated bsdgames package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  6 Apr 2006 19:59:35 -0400
Source: bsdgames
Binary: bsdgames
Architecture: source i386
Version: 2.17-7
Distribution: unstable
Urgency: medium
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 bsdgames   - a collection of classic textual unix games
Closes: 360989
Changes: 
 bsdgames (2.17-7) unstable; urgency=medium
 .
   * sail: Fix a scanf buffer overrun in initial broadside prompt code,
     possibly exploitable. Closes: #360989
   * dm: Fix some other, non exploitable scanf buffer overruns.
Files: 
 79ed72ad15b3dd07d1e07e44e87c6902 629 games optional bsdgames_2.17-7.dsc
 24561d4326d22ae9fce0778db548db45 12530 games optional bsdgames_2.17-7.diff.gz
 c95399c956ec1ae6ef35ec06af3f06c0 967056 games optional bsdgames_2.17-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFENa7W2tp5zXiKP0wRAky4AJ9IuY/S3a5p0fD4O7NPArrifB4wKACgnPry
BvSC/g5Xcy2cifbkjhrcpjI=
=FFbV
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#360989; Package bsdgames. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>. (full text, mbox, link).


Message #29 received at 360989@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: 360989@bugs.debian.org
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.
Date: Mon, 24 Apr 2006 18:02:03 +0200
CVE-2006-1744 has been assigned to this.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 01:51:11 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:26:34 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.