Acknowledgement sent to "Anibal L. Sacco" <Anibal.Sacco@gmail.com>:
New Bug report received and forwarded. Copy sent to Joey Hess <joeyh@debian.org>.
(full text, mbox, link).
Subject: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation
vulnerability.
Date: Wed, 05 Apr 2006 17:40:36 -0300
Package: BSDgames
Version: 2.17-1
The vulnerabilities are caused due to boundary errors when reading
the player's name in pl_main.c
code segment:
printf("Your name, Captain? ");
fflush(stdout);
fgets(captain, sizeof captain, stdin);
if (!*captain)
strcpy(captain, "no name");
else
captain[strlen(captain) - 1] = '\0';
}
Being captain initialized as: char captain[80].
There is some similar issues in Tetris, and Hack too.
This can be exploited by users to gain gid=games an then to cause a stack-based buffer overflow when
other users run the game, by modifying entries in a game file like scores in Tetris or Hack.
Successful exploitation allows the execution of arbitrary code with
the privileges of other users.
Well... english isnt my first language and i dont know if the bugs can be reported in spanish so i hope to be understandeable
Anibal L. Sacco
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#360989; Package bsdgames.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Anibal L. Sacco wrote:
> The vulnerabilities are caused due to boundary errors when reading
> the player's name in pl_main.c
>
> code segment:
> printf("Your name, Captain? ");
> fflush(stdout);
> fgets(captain, sizeof captain, stdin);
> if (!*captain)
> strcpy(captain, "no name");
> else
> captain[strlen(captain) - 1] = '\0';
> }
>
> Being captain initialized as: char captain[80].
sizeof(captain) is 80 so fgets reads in at most 79 characters. The trailing
NULL will be added as the 80th character which still seems to be within
the array size to me.
> There is some similar issues in Tetris, and Hack too.
Well feel free to provide the details of those issues.
--
see shy jo
----- Forwarded message from "Anibal L. Sacco" <Anibal.Sacco@gmail.com> -----
From: "Anibal L. Sacco" <Anibal.Sacco@gmail.com>
Date: Thu, 06 Apr 2006 20:18:44 -0300
To: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and
privileges escalation vulnerability.
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
Joey Hess wrote:
>Anibal L. Sacco wrote:
>
>
>>The vulnerabilities are caused due to boundary errors when reading
>>the player's name in pl_main.c
>>
>>code segment:
>>printf("Your name, Captain? ");
>> fflush(stdout);
>> fgets(captain, sizeof captain, stdin);
>> if (!*captain)
>> strcpy(captain, "no name");
>> else
>> captain[strlen(captain) - 1] = '\0';
>> }
>>
>>Being captain initialized as: char captain[80].
>>
>>
>
>sizeof(captain) is 80 so fgets reads in at most 79 characters. The trailing
>NULL will be added as the 80th character which still seems to be within
>the array size to me.
>
>
>
>>There is some similar issues in Tetris, and Hack too.
>>
>>
>
>Well feel free to provide the details of those issues.
>
>
>
My mystake.. this is the vulnerable code.
char buf[10];
printf("\nInitial broadside %s (grape, chain, round, double): ", n ?
"right" : "left");
fflush(stdout);
scanf("%s", buf);
Cheers
----- End forwarded message -----
--
see shy jo
Source: bsdgames
Source-Version: 2.17-7
We believe that the bug you reported is fixed in the latest version of
bsdgames, which is due to be installed in the Debian FTP archive:
bsdgames_2.17-7.diff.gz
to pool/main/b/bsdgames/bsdgames_2.17-7.diff.gz
bsdgames_2.17-7.dsc
to pool/main/b/bsdgames/bsdgames_2.17-7.dsc
bsdgames_2.17-7_i386.deb
to pool/main/b/bsdgames/bsdgames_2.17-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 360989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated bsdgames package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 6 Apr 2006 19:59:35 -0400
Source: bsdgames
Binary: bsdgames
Architecture: source i386
Version: 2.17-7
Distribution: unstable
Urgency: medium
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description:
bsdgames - a collection of classic textual unix games
Closes: 360989
Changes:
bsdgames (2.17-7) unstable; urgency=medium
.
* sail: Fix a scanf buffer overrun in initial broadside prompt code,
possibly exploitable. Closes: #360989
* dm: Fix some other, non exploitable scanf buffer overruns.
Files:
79ed72ad15b3dd07d1e07e44e87c6902 629 games optional bsdgames_2.17-7.dsc
24561d4326d22ae9fce0778db548db45 12530 games optional bsdgames_2.17-7.diff.gz
c95399c956ec1ae6ef35ec06af3f06c0 967056 games optional bsdgames_2.17-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFENa7W2tp5zXiKP0wRAky4AJ9IuY/S3a5p0fD4O7NPArrifB4wKACgnPry
BvSC/g5Xcy2cifbkjhrcpjI=
=FFbV
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>: Bug#360989; Package bsdgames.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.
Date: Mon, 24 Apr 2006 18:02:03 +0200
CVE-2006-1744 has been assigned to this.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 01:51:11 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.