The checkscores() function in scores.c reads in the data from the /var/games/tetris-bsd.scores file without validation. Because gentoo doesnt follow the standard setgid games policy, any user in group games can write whatever data they like to the score file. The players name is printed into a buffer using sprintf without validation, causing a classic stack overflow. On another occasion, the level is read from the file without validation, which is then used as an offset into an integer stack array and written to. While what's written cant be controlled, this could be enough to modify an ret addr enough to execute arbitrary code read from the score file. This is not a bug in bsd-games, only gentoo is vulnerable because of our group games policy.
Created attachment 79447 [details, diff] sec patch
Games team, please advise.
Late.
games team give permission to mask until a fix is available
New ebuild, 2.17-r1 has been added and is stable on x86. Other arches will need to test and keyword as appropriate. Sorry for the delay, I'm just now getting back into the swing of bug-fixing.
ppc stable
SPARC'd
AMD64 stable.
GLSA 200603-26 Thanks everybody.
