Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 24002 - app-games/xgalaga
Summary: app-games/xgalaga
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-07-06 13:43 UTC by Daniel Ahlberg (RETIRED)
Modified: 2003-09-21 09:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-07-06 13:43:56 UTC
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 334-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
June 28th, 2003                         http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : xgalaga 
Vulnerability  : buffer overflows 
Problem-Type   : local 
Debian-specific: no 
CVE Ids        : CAN-2003-0454 
 
Steve Kemp discovered several buffer overflows in xgalaga, a game, 
which can be triggered by a long HOME environment variable.  This 
vulnerability could be exploited by a local attacker to gain gid 
'games'.
Comment 1 Gerardo Di Giacomo 2003-09-20 16:35:05 UTC
xgalaga has not setuid flag by default. If it's still vulnerable, it can't give elevtaed privileges.
Comment 2 SpanKY gentoo-dev 2003-09-20 20:32:53 UTC
yeah, we're not vulnerable, but i'd still like to add a patch if one exists

in other words, we dont need a GLSA, we just want a patch ;)
Comment 3 Gerardo Di Giacomo 2003-09-21 03:39:49 UTC
i see that there's already a patch for that vuln...

     if((home = getenv("HOME"))) {
-       sprintf(my_file_name, "%s/.xgalscores", home);
[...]
+       snprintf(my_file_name, sizeof(my_file_name)-1, "%s/.xgalscores", home);


in the diff that is download with xgalaga.

So we don't need a patch :)
Comment 4 SpanKY gentoo-dev 2003-09-21 09:15:54 UTC
excellent :)