Debian Bug report logs - #651896
njam: Insecure usage of environmental variable

version graph

Package: njam; Maintainer for njam is Daniel Echeverry <epsilon77@gmail.com>; Source for njam is src:njam.

Reported by: Steve Kemp <steve@steve.org.uk>

Date: Mon, 12 Dec 2011 22:24:01 UTC

Severity: grave

Tags: patch, security

Found in version njam/1.25-5

Fixed in version njam/1.25-5.2

Done: Luk Claes <luk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Avelar <aavelar@cofradia.org>:
Bug#651896; Package njam. (Mon, 12 Dec 2011 22:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <steve@steve.org.uk>:
New Bug report received and forwarded. Copy sent to Anibal Avelar <aavelar@cofradia.org>. (Mon, 12 Dec 2011 22:24:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <steve@steve.org.uk>
To: submit@bugs.debian.org
Subject: njam: Insecure usage of environmental variable
Date: Mon, 12 Dec 2011 22:19:59 +0000
Package: njam
Version: 1.25-5
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The setgid(games) binary /usr/games/njam makes insecure use of the 
environmental variable SDL_VIDEODRIVER.

This potentially allows the execution of arbitrary code, as the
following example shows:

1.  Setup the variable:

    birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300") 


2.  Launch the binary under gdb so we can see what happens:

    birthday:~# gdb /usr/games/njam
(gdb) run
Starting program: /usr/games/njam 
..
Program received signal SIGSEGV, Segmentation fault.
0x0000000000404f48 in ?? ()
(gdb) bt
0  0x0000000000404f48 in ?? ()
1  0x7878787878787878 in ?? ()
2  0x7878787878787878 in ?? ()
3  0x7878787878787878 in ?? ()

  0x78 == "x" == Code execution via overflow.


  This is probably a minor issue, but should be simple to patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages njam depends on:
ii  libc6                        2.11.2-10   Embedded GNU C Library: Shared lib
ii  libgcc1                      1:4.4.5-8   GCC support library
ii  libsdl-image1.2              1.2.10-2+b2 image loading library for Simple D
ii  libsdl-mixer1.2              1.2.8-6.3   mixer library for Simple DirectMed
ii  libsdl-net1.2                1.2.7-2     network library for Simple DirectM
ii  libsdl1.2debian              1.2.14-6.1  Simple DirectMedia Layer
ii  libstdc++6                   4.4.5-8     The GNU Standard C++ Library v3

njam recommends no packages.

njam suggests no packages.

-- no debconf information





Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Avelar <aavelar@cofradia.org>:
Bug#651896; Package njam. (Tue, 13 Dec 2011 17:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Avelar <aavelar@cofradia.org>. (Tue, 13 Dec 2011 17:12:05 GMT) Full text and rfc822 format available.

Message #10 received at 651896@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: 651896@bugs.debian.org
Subject: Re: Bug#651896: Acknowledgement (njam: Insecure usage of environmental variable)
Date: Tue, 13 Dec 2011 17:07:56 +0000
  Simple patch:

--- src/njam.cpp-orig   2011-12-13 17:06:04.000000000 +0000
+++ src/njam.cpp    2011-12-13 17:07:08.000000000 +0000
@@ -339,7 +339,7 @@
    sprintf(linux_sdl_driver, "x11\0");
    char *driver_name = getenv("SDL_VIDEODRIVER");
    if (driver_name)
-       sprintf(linux_sdl_driver, "%s\0", driver_name);
+               snprintf(linux_sdl_driver, sizeof(linux_sdl_driver)-1, "%s", driver_name);
 
    if (UseDGA)
    {



Steve
-- 
http://edinburgh-portraits.com/




Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Avelar <aavelar@cofradia.org>:
Bug#651896; Package njam. (Tue, 13 Dec 2011 19:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hans de Goede <hdegoede@redhat.com>:
Extra info received and forwarded to list. Copy sent to Anibal Avelar <aavelar@cofradia.org>. (Tue, 13 Dec 2011 19:57:05 GMT) Full text and rfc822 format available.

Message #15 received at 651896@bugs.debian.org (full text, mbox):

From: Hans de Goede <hdegoede@redhat.com>
To: 651896@bugs.debian.org
Subject: PATCH: njam drop DGA support, fixing SDL_VIDEODRIVER parsing issues
Date: Tue, 13 Dec 2011 20:53:50 +0100
[Message part 1 (text/plain, inline)]
Hi,

I'm the Fedora maintainer of njam, where the
SDL_VIDEODRIVER bug has also been reported, see:
https://bugzilla.redhat.com/show_bug.cgi?id=767015

I've written a patch (attached) to fix this, the
code in question is only used for DGA "support",
and the use of DGA has been deprecated by Xorg
upstream  for a long long time now, so the patch
simply removes the DGA support code.

Regards,

Hans
[njam-1.25-rhbz767015.patch (text/plain, attachment)]

Added tag(s) patch. Request was from S├ębastien Villemot <sebastien.villemot@ens.fr> to control@bugs.debian.org. (Sun, 19 Feb 2012 14:30:16 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Luk Claes <luk@debian.org> to control@bugs.debian.org. (Wed, 04 Jul 2012 17:12:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Avelar <aavelar@cofradia.org>:
Bug#651896; Package njam. (Wed, 04 Jul 2012 17:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Avelar <aavelar@cofradia.org>. (Wed, 04 Jul 2012 17:18:06 GMT) Full text and rfc822 format available.

Message #24 received at 651896@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 651896@bugs.debian.org
Subject: njam: diff for NMU version 1.25-5.2
Date: Wed, 4 Jul 2012 19:09:18 +0200
[Message part 1 (text/plain, inline)]
tags 651896 + pending
thanks

Dear maintainer,

I've prepared an NMU for njam (versioned as 1.25-5.2) and
have it uploaded shortly.

Cheers

Luk
[njam-1.25-5.2-nmu.diff (text/x-diff, attachment)]

Reply sent to Luk Claes <luk@debian.org>:
You have taken responsibility. (Wed, 04 Jul 2012 17:51:06 GMT) Full text and rfc822 format available.

Notification sent to Steve Kemp <steve@steve.org.uk>:
Bug acknowledged by developer. (Wed, 04 Jul 2012 17:51:06 GMT) Full text and rfc822 format available.

Message #29 received at 651896-close@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: 651896-close@bugs.debian.org
Subject: Bug#651896: fixed in njam 1.25-5.2
Date: Wed, 04 Jul 2012 17:47:38 +0000
Source: njam
Source-Version: 1.25-5.2

We believe that the bug you reported is fixed in the latest version of
njam, which is due to be installed in the Debian FTP archive:

njam_1.25-5.2.diff.gz
  to main/n/njam/njam_1.25-5.2.diff.gz
njam_1.25-5.2.dsc
  to main/n/njam/njam_1.25-5.2.dsc
njam_1.25-5.2_i386.deb
  to main/n/njam/njam_1.25-5.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651896@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated njam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 Jul 2012 15:49:52 +0000
Source: njam
Binary: njam
Architecture: source i386
Version: 1.25-5.2
Distribution: unstable
Urgency: high
Maintainer: Anibal Avelar <aavelar@cofradia.org>
Changed-By: Luk Claes <luk@debian.org>
Description: 
 njam       - pacman-like game with multiplayer support
Closes: 651896
Changes: 
 njam (1.25-5.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * drop DGA support (Closes: #651896).
Checksums-Sha1: 
 a92e952a85952dc42f2cf8a5c5894a675fc404fe 1091 njam_1.25-5.2.dsc
 6689d465a3339f092b68c49cf0560aa2d6a6e977 7616 njam_1.25-5.2.diff.gz
 d9c5c9363348fb27db09e79b7bfb1992dc2b4478 1442670 njam_1.25-5.2_i386.deb
Checksums-Sha256: 
 c113b2cbe0953a6f33806076316f612a6b0e4f2674a5ba8d81574f113c188fc3 1091 njam_1.25-5.2.dsc
 86a8d1d1855e11aae2e97ca99630471ab4f55585becc06911c31e9b7d40349cd 7616 njam_1.25-5.2.diff.gz
 56e4958bb6ea310fc3cc044727862a3a5872d3b643d48c5e067b787ce479b7d2 1442670 njam_1.25-5.2_i386.deb
Files: 
 1280b2db4b4393ae2738de5ace15695b 1091 games optional njam_1.25-5.2.dsc
 982b26d9f46313a634508e5f0719fba2 7616 games optional njam_1.25-5.2.diff.gz
 ecbf801d6de5da6c2e485a3ab0aff3c6 1442670 games optional njam_1.25-5.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk/0f9cACgkQ+C5cwEsrK54cWACcCrz6vxPbsV1mShVL/mHF9n/r
sKIAni1w6ZXUHDtsNf2oIyrbTiWj5cQs
=NeVp
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 08:06:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 08:13:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.