First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 122399
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
tetris-sec.diff sec patch patch Tavis Ormandy (RETIRED) 2006-02-10 10:29 0000 1.10 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 122399 depends on: Show dependency tree
Show dependency graph
Bug 122399 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-10 10:29 0000 
The checkscores() function in scores.c reads in the data from the
/var/games/tetris-bsd.scores file without validation. Because gentoo doesnt
follow the standard setgid games policy, any user in group games can write
whatever data they like to the score file.

The players name is printed into a buffer using sprintf without validation,
causing a classic stack overflow. On another occasion, the level is read from
the file without validation, which is then used as an offset into an integer
stack array and written to. While what's written cant be controlled, this could
be enough to modify an ret addr enough to execute arbitrary code read from the
score file.

This is not a bug in bsd-games, only gentoo is vulnerable because of our group
games policy.

------- Comment #1 From Tavis Ormandy (RETIRED) 2006-02-10 10:29:36 0000 ------- 
Created an attachment (id=79447) [edit]
sec patch

------- Comment #2 From Thierry Carrez (RETIRED) 2006-02-11 14:00:26 0000 ------- 
Games team, please advise.

------- Comment #3 From Thierry Carrez (RETIRED) 2006-02-21 09:49:33 0000 ------- 
Late.

------- Comment #4 From Tavis Ormandy (RETIRED) 2006-03-17 06:37:33 0000 ------- 
games team give permission to mask until a fix is available

------- Comment #5 From Chris Gianelloni (RETIRED) 2006-03-17 11:06:13 0000 ------- 
New ebuild, 2.17-r1 has been added and is stable on x86.  Other arches will
need to test and keyword as appropriate.  Sorry for the delay, I'm just now
getting back into the swing of bug-fixing.

------- Comment #6 From Tobias Scherbaum 2006-03-19 13:06:52 0000 ------- 
ppc stable

------- Comment #7 From Jason Wever (RETIRED) 2006-03-19 19:14:43 0000 ------- 
SPARC'd

------- Comment #8 From Jory A. Pratt 2006-03-29 11:02:13 0000 ------- 
AMD64 stable.

------- Comment #9 From Stefan Cornelius (RETIRED) 2006-03-29 11:22:41 0000 ------- 
GLSA 200603-26

Thanks everybody.
First Last Prev Next    No search results available      Search page      Enter new bug