Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 33701 - Overkill $HOME environment variable buffer overflow (includes fix)
Summary: Overkill $HOME environment variable buffer overflow (includes fix)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Games (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Games
URL: http://xforce.iss.net/xforce/xfdb/13646
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-11-17 12:37 UTC by Andy Dustman
Modified: 2003-11-29 22:07 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
games-action/0verkill/0verkill-0.16-r1.ebuild (0verkill-0.16-r1.ebuild,1.38 KB, text/plain)
2003-11-17 12:38 UTC, Andy Dustman
Details
games-action/0verkill/files/0.16-HOME-fix.patch (0.16-HOME-fix.patch,725 bytes, patch)
2003-11-17 12:40 UTC, Andy Dustman
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Dustman 2003-11-17 12:37:18 UTC
"A local attacker could pass a long $HOME environment variable to overflow a buffer and execute arbitrary code on the system."

I have come up with a fix for this. New ebuild and patch to be attached.

Note: I have tested unpatched 0verkill-0.16 and found that I could make it segfault by passing a very long $HOME. Interestingly enough, even with -fstack-protector (gcc-3.3.2-r2) turned on, it still segfaults, and it should abort with a "stack smashing" error message.
Comment 1 Andy Dustman 2003-11-17 12:38:31 UTC
Created attachment 20870 [details]
games-action/0verkill/0verkill-0.16-r1.ebuild
Comment 2 Andy Dustman 2003-11-17 12:40:49 UTC
Created attachment 20871 [details, diff]
games-action/0verkill/files/0.16-HOME-fix.patch

I have tested this patch briefly, and it looks correct, but I recommend it be
reviewed further.
Comment 3 SpanKY gentoo-dev 2003-11-17 12:46:00 UTC
although i agree it should be patched (hell ive made patches that use similar code for games that i'll be changing soon :D) i dont see why this is a security vulnerability ...

games on Gentoo run as the user, they dont run as other people ... thus a user can buffer overflow their own address space but so what ? :)
Comment 4 solar (RETIRED) gentoo-dev 2003-11-18 23:03:12 UTC
Andy,
Attachment #2 [details] failes to patch clean using Attachment #1 [details]
Is this game setuid/setgid?
Comment 5 SpanKY gentoo-dev 2003-11-19 10:39:16 UTC
no, we dont set games uid or gid at this time

so we'll just treat it as a bugfix
Comment 6 SpanKY gentoo-dev 2003-11-29 22:07:46 UTC
now in cvs, thanks for the patch