135071 2006-05-31 13:00 0000 games-misc/typespeed: execution of arbitrary code (CVE-2006-1515) 2006-06-19 09:19:25 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.debian.org/security/2006/dsa-1084 https://bugs.gentoo.org/show_bug.cgi?id=135071 B1 [glsa] DerCorny P2 major --- 1 dercorny@gentoo.org security@gentoo.org gentoobugs@wonderclown.com dercorny@gentoo.org 2006-05-31 13:00:43 0000 Package : typespeed Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-1515 Niko Tyni discovered a buffer overflow in the processing of network data in typespeed, a game for testing and improving typing speed, which could lead to the execution of arbitrary code. We also seem to be vulnerable to a format string bug that could allow local priv escalation: http://www.debian.org/security/2005/dsa-684 dercorny@gentoo.org 2006-05-31 13:01:59 0000 games team, please provide fixed ebuilds, thanks mr_bones_@gentoo.org 2006-05-31 18:11:28 0000 package masked. gentoobugs@wonderclown.com 2006-06-03 14:24:09 0000 FYI: Upstream has released version 0.5.0, and according to the changelog there is a security fix (from the Debian team) included. I haven't looked at the code, but this might just be fixed by a version bump. vapier@gentoo.org 2006-06-10 06:18:35 0000 0.5.0 in portage tcort@gentoo.org 2006-06-10 08:06:14 0000 amd64 stable. ssuominen@gentoo.org 2006-06-10 09:03:39 0000 It must be because of the few beers I've taken that I was this slow with unix words but.. -- snip -- Typespeed v0.5.0 Your score was: Rank: Good Score: 436 10MRS: 2177 Total CPS: 4.178 Correct CPS: 3.629 Typo ratio: 13.1% Typorank: Pencil <- Insult!! :-) Press any key to continue... -- snip -- Good to go stable on x86. Portage 2.1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r3, 2.6.16-gentoo-r8 i686) ================================================================= System uname: 2.6.16-gentoo-r8 i686 AMD Athlon(tm) XP 2200+ Gentoo Base System version 1.6.14 dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe -g" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-xp -O2 -pipe -g" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms splitdebug strict" GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/" LANG="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://trumpetti.atm.tut.fi/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac alsa apm avi berkdb bitmap-fonts bzip2 cli crypt dri emboss encode ffmpeg flac fontconfig foomaticdb fortran gdbm gif gstreamer gtk gtk2 id3 imlib ipv6 isdnlog jpeg libg++ libwww mad mikmod mmx mmxext motif mp3 mp4live mpeg mpeg2 musicbrainz ncurses nptl nptlonly ogg opengl oss pam pcre pdflib perl pic player png pppd python quicktime readline reflection sdk sdl session spl sse ssl tcpd theora tiff truetype truetype-fonts type1-fonts udev unicode userlocales vorbis win32codecs xine xml xorg xv xvid zlib elibc_glibc kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Thanks, drac tove@gentoo.org 2006-06-11 06:30:25 0000 In 0.5.0 the highscore file format has changed. Just touching the files generates corrupt scorefiles. typespeed --makescores doesn't work because the wordlists are in a different directory. I've changed in file.c (typespeed-0.5.0-statedir-fix.patch): | - if ((n = scandir(".", &namelist, iswordl... | + if ((n = scandir("GENTOO_WORDLIST_PATH", &namelist, iswordl... and was able to create valid scorefiles via typespeed --makescores. Another thing: A reinstallation replaces the existing highscore files. Well these files are not really important. vapier@gentoo.org 2006-06-11 06:58:05 0000 fixed the scandir games_pkg_preinst() in the games.eclass should take care of saving/restoring files across installs/upgrades ... works on my machine tove@gentoo.org 2006-06-11 08:53:57 0000 Stable on x86. Still "typespeed --makescores" is needed after the first installation and while upgrading the scorefiles aren't converted. (In reply to comment #8) > games_pkg_preinst() in the games.eclass should take care of saving/restoring > files across installs/upgrades ... works on my machine Sorry, works here too. Obviously i don't use games very often. frilled@gentoo.org 2006-06-12 21:54:48 0000 For GLSA: is dsa-684 really valid for us? Since you should have to be in the "games" group to play games anyway, there would be no privilege escalation here (Gentoo is a bit different from the others distros here as far as I can tell)... jaervosz@gentoo.org 2006-06-12 23:29:19 0000 According to CVE-2006-1515 it is remote. frilled@gentoo.org 2006-06-12 23:49:05 0000 I know, but DerCorny mentioned http://www.debian.org/security/2005/dsa-684 which I was refering to. dertobi123@gentoo.org 2006-06-14 11:26:52 0000 ppc stable jaervosz@gentoo.org 2006-06-19 09:19:25 0000 GLSA 200606-20