122399 2006-02-10 10:29 0000 games-misc/bsd-games: tetris-bsd buffer overflows 2006-03-29 11:22:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] jaervosz P2 normal --- 1 taviso@gentoo.org security@gentoo.org games@gentoo.org taviso@gentoo.org 2006-02-10 10:29:12 0000 The checkscores() function in scores.c reads in the data from the /var/games/tetris-bsd.scores file without validation. Because gentoo doesnt follow the standard setgid games policy, any user in group games can write whatever data they like to the score file. The players name is printed into a buffer using sprintf without validation, causing a classic stack overflow. On another occasion, the level is read from the file without validation, which is then used as an offset into an integer stack array and written to. While what's written cant be controlled, this could be enough to modify an ret addr enough to execute arbitrary code read from the score file. This is not a bug in bsd-games, only gentoo is vulnerable because of our group games policy. taviso@gentoo.org 2006-02-10 10:29:36 0000 Created an attachment (id=79447) sec patch koon@gentoo.org 2006-02-11 14:00:26 0000 Games team, please advise. koon@gentoo.org 2006-02-21 09:49:33 0000 Late. taviso@gentoo.org 2006-03-17 06:37:33 0000 games team give permission to mask until a fix is available wolf31o2@gentoo.org 2006-03-17 11:06:13 0000 New ebuild, 2.17-r1 has been added and is stable on x86. Other arches will need to test and keyword as appropriate. Sorry for the delay, I'm just now getting back into the swing of bug-fixing. dertobi123@gentoo.org 2006-03-19 13:06:52 0000 ppc stable weeve@gentoo.org 2006-03-19 19:14:43 0000 SPARC'd geekypenguin@gmail.com 2006-03-29 11:02:13 0000 AMD64 stable. dercorny@gentoo.org 2006-03-29 11:22:41 0000 GLSA 200603-26 Thanks everybody. 79447 2006-02-10 10:29 0000 sec patch tetris-sec.diff text/plain LS0tIGJzZC1nYW1lcy0yLjEzL3RldHJpcy9zY29yZXMuYy5vcmlnCTIwMDYtMDItMTAgMTg6MTE6 NDEuNzA0NzcwMjgwICswMDAwCisrKyBic2QtZ2FtZXMtMi4xMy90ZXRyaXMvc2NvcmVzLmMJMjAw Ni0wMi0xMCAxODoyNToxNS45Mjc5ODk1MzYgKzAwMDAKQEAgLTMzOSw3ICszMzksOCBAQAogCQkJ CWNvbnRpbnVlOwogCQkJfQogCQl9Ci0JCWxldmVsZm91bmRbc3AtPmhzX2xldmVsXSA9IDE7Cisg ICAgICAgIGlmIChzcC0+aHNfbGV2ZWwgPCBOTEVWRUxTICYmIHNwLT5oc19sZXZlbCA+PSAwKQor ICAgIAkJbGV2ZWxmb3VuZFtzcC0+aHNfbGV2ZWxdID0gMTsKIAkJaSsrLCBzcCsrOwogCX0KIAly ZXR1cm4gKG51bSA+IE1BWEhJU0NPUkVTID8gTUFYSElTQ09SRVMgOiBudW0pOwpAQCAtMzc4LDEy ICszNzksMTQgQEAKIAlmb3IgKGkgPSBNSU5MRVZFTDsgaSA8IE5MRVZFTFM7IGkrKykKIAkJbGV2 ZWxmb3VuZFtpXSA9IDA7CiAJZm9yIChpID0gMCwgc3AgPSBzY29yZXM7IGkgPCBuc2NvcmVzOyBp KyssIHNwKyspIHsKLQkJaWYgKGxldmVsZm91bmRbc3AtPmhzX2xldmVsXSkKLQkJCXNwLT5oc190 aW1lID0gMDsKLQkJZWxzZSB7Ci0JCQlzcC0+aHNfdGltZSA9IDE7Ci0JCQlsZXZlbGZvdW5kW3Nw LT5oc19sZXZlbF0gPSAxOwotCQl9CisgICAgICAgIGlmIChzcC0+aHNfbGV2ZWwgPCBOTEVWRUxT ICYmIHNwLT5oc19sZXZlbCA+PSAwKSB7CisgICAgCQlpZiAobGV2ZWxmb3VuZFtzcC0+aHNfbGV2 ZWxdKQorCSAgICAJCXNwLT5oc190aW1lID0gMDsKKwkJICAgIGVsc2UgeworCQkJICAgIHNwLT5o c190aW1lID0gMTsKKwkJICAgIAlsZXZlbGZvdW5kW3NwLT5oc19sZXZlbF0gPSAxOworCQkgICAg fQorICAgICAgICB9CiAJfQogCiAJLyoKQEAgLTQzNyw3ICs0NDAsNyBAQAogCQkJCWNvbnRpbnVl OwogCQkJfQogCQkJc3AgPSAmaHNbaXRlbV07Ci0JCQkodm9pZClzcHJpbnRmKGJ1ZiwKKwkJCSh2 b2lkKXNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksCiAJCQkgICAgIiUzZCVjICU2ZCAgJS0xMXMg KCU2ZCBvbiAlZCkiLAogCQkJICAgIGl0ZW0gKyBvZmZzZXQsIHNwLT5oc190aW1lID8gJyonIDog JyAnLAogCQkJICAgIHNwLT5oc19zY29yZSAqIHNwLT5oc19sZXZlbCwK