Bug 135071 - games-misc/typespeed: execution of arbitrary code (CVE-2006-1515)
|
Bug#:
135071
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: dercorny@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.debian.org/security/2006/dsa-1084 https://bugs.gentoo.org/show_bug.cgi?id=135071
|
|
Summary: games-misc/typespeed: execution of arbitrary code (CVE-2006-1515)
|
|
Keywords:
|
|
Status Whiteboard: B1 [glsa] DerCorny
|
|
Opened: 2006-05-31 13:00 0000
|
Package : typespeed
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-1515
Niko Tyni discovered a buffer overflow in the processing of network
data in typespeed, a game for testing and improving typing speed, which
could lead to the execution of arbitrary code.
We also seem to be vulnerable to a format string bug that could allow local
priv escalation: http://www.debian.org/security/2005/dsa-684
games team, please provide fixed ebuilds, thanks
FYI: Upstream has released version 0.5.0, and according to the changelog there
is a security fix (from the Debian team) included. I haven't looked at the
code, but this might just be fixed by a version bump.
It must be because of the few beers I've taken that I was this slow with unix
words but..
-- snip --
Typespeed v0.5.0
Your score was:
Rank: Good
Score: 436
10MRS: 2177
Total CPS: 4.178
Correct CPS: 3.629
Typo ratio: 13.1%
Typorank: Pencil <- Insult!! :-)
Press any key to continue...
-- snip --
Good to go stable on x86.
Portage 2.1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r3,
2.6.16-gentoo-r8 i686)
=================================================================
System uname: 2.6.16-gentoo-r8 i686 AMD Athlon(tm) XP 2200+
Gentoo Base System version 1.6.14
dev-lang/python: 2.4.2
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils: 2.16.1-r2
sys-devel/gcc-config: 1.3.13-r2
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe -g"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-xp -O2 -pipe -g"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox
sfperms splitdebug strict"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/"
LANG="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://trumpetti.atm.tut.fi/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac alsa apm avi berkdb bitmap-fonts bzip2 cli
crypt dri emboss encode ffmpeg flac fontconfig foomaticdb fortran gdbm gif
gstreamer gtk gtk2 id3 imlib ipv6 isdnlog jpeg libg++ libwww mad mikmod mmx
mmxext motif mp3 mp4live mpeg mpeg2 musicbrainz ncurses nptl nptlonly ogg
opengl oss pam pcre pdflib perl pic player png pppd python quicktime readline
reflection sdk sdl session spl sse ssl tcpd theora tiff truetype truetype-fonts
type1-fonts udev unicode userlocales vorbis win32codecs xine xml xorg xv xvid
zlib elibc_glibc kernel_linux userland_GNU"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Thanks, drac
In 0.5.0 the highscore file format has changed.
Just touching the files generates corrupt scorefiles.
typespeed --makescores doesn't work because the wordlists are in a different
directory.
I've changed in file.c (typespeed-0.5.0-statedir-fix.patch):
| - if ((n = scandir(".", &namelist, iswordl...
| + if ((n = scandir("GENTOO_WORDLIST_PATH", &namelist, iswordl...
and was able to create valid scorefiles via typespeed --makescores.
Another thing:
A reinstallation replaces the existing highscore files. Well these files are
not really important.
fixed the scandir
games_pkg_preinst() in the games.eclass should take care of saving/restoring
files across installs/upgrades ... works on my machine
Stable on x86.
Still "typespeed --makescores" is needed after the first installation and while
upgrading the scorefiles aren't converted.
(In reply to comment #8)
> games_pkg_preinst() in the games.eclass should take care of saving/restoring
> files across installs/upgrades ... works on my machine
Sorry, works here too. Obviously i don't use games very often.
For GLSA: is dsa-684 really valid for us? Since you should have to be in the
"games" group to play games anyway, there would be no privilege escalation here
(Gentoo is a bit different from the others distros here as far as I can
tell)...
According to CVE-2006-1515 it is remote.
