Bug 122399 - games-misc/bsd-games: tetris-bsd buffer overflows
|
Bug#:
122399
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: taviso@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: games-misc/bsd-games: tetris-bsd buffer overflows
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa] jaervosz
|
|
Opened: 2006-02-10 10:29 0000
|
The checkscores() function in scores.c reads in the data from the
/var/games/tetris-bsd.scores file without validation. Because gentoo doesnt
follow the standard setgid games policy, any user in group games can write
whatever data they like to the score file.
The players name is printed into a buffer using sprintf without validation,
causing a classic stack overflow. On another occasion, the level is read from
the file without validation, which is then used as an offset into an integer
stack array and written to. While what's written cant be controlled, this could
be enough to modify an ret addr enough to execute arbitrary code read from the
score file.
This is not a bug in bsd-games, only gentoo is vulnerable because of our group
games policy.
Games team, please advise.
games team give permission to mask until a fix is available
New ebuild, 2.17-r1 has been added and is stable on x86. Other arches will
need to test and keyword as appropriate. Sorry for the delay, I'm just now
getting back into the swing of bug-fixing.
GLSA 200603-26
Thanks everybody.
