First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 26783
Alias:
Product:
Component:
Status: RESOLVED
Resolution: INVALID
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Daniel Ahlberg (RETIRED) <aliz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 26783 depends on: Show dependency tree
Bug 26783 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-08-17 01:04 0000 
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 345-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
July 8th, 2003                          http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : xbl 
Vulnerability  : buffer overflow 
Problem-Type   : local 
Debian-specific: no 
CVE Ids        : CAN-2003-0535 
 
Another buffer overflow was discovered in xbl, distinct from the one 
addressed in DSA-327 (CAN-2003-0451), involving the -display command 
line option.  This vulnerability could be exploited by a local 
attacker to gain gid 'games'.

------- Comment #1 From Mr. Bones. 2003-08-17 04:25:05 0000 ------- 
Unless I'm missing something, I'm pretty sure this isn't an issue on Gentoo
since xbl isn't installed setgid.

-rwxr-x---    1 games    games      163396 Aug 17 04:21 /usr/games/bin/xbl

I guess if you're running Debian you should be concerned. ;-)

------- Comment #2 From SpanKY 2003-08-17 11:32:08 0000 ------- 
who knows maybe you can get uid games ... thats a 'semi' issue

------- Comment #3 From Mr. Bones. 2003-08-17 14:32:31 0000 ------- 
How would that be possible?  The executable isn't setuid or setgid.  Even if
there is an exploitable bug in xbl, the program isn't run with anything other
than the user's permissions and group.

------- Comment #4 From SpanKY 2003-08-17 16:50:33 0000 ------- 
err you're right ... 
 
aliz, you can send out a GLSA but be sure to note that standard gentoo installs 
arent affected ... the only people who are affected are those who setgid on the 
binary themselves

------- Comment #5 From solar 2003-09-22 01:12:02 0000 ------- 
GLSA deadlock?

------- Comment #6 From Chris Gianelloni (RETIRED) 2003-10-07 03:48:44 0000 ------- 
resolved?

------- Comment #7 From solar 2003-12-10 14:52:24 0000 ------- 
Re: comment #3 your right, so changing resolution to INVALID
First Last Prev Next    No search results available      Search page      Enter new bug