src/lincity/fileutil.cpp: 350 static const char * 351 guess_category_value (int category, const char *categoryname) 352 { 353 (void) category; 354 const char *retval; 355 356 /* The highest priority value is the `LANGUAGE' environment 357 variable. This is a GNU extension. */ 358 ===> retval = getenv ("LANGUAGE"); <=== 359 if (retval != NULL && retval[0] != '\0') 360 return retval; Notice return value can point to anything. 135 char message_path[LC_PATH_MAX]; 405 void 406 find_localized_paths (void) 407 { 408 int messages_done = 0; 409 int help_done = 0; 410 411 const char* intl_suffix = ""; 412 char intl_lang[128]; 413 414 /* First, try the locale "as is" */ 415 #if defined (ENABLE_NLS) && defined (HAVE_LC_MESSAGES) => 416 intl_suffix = guess_category_value(LC_MESSAGES,"LC_MESSAGES"); <=== 417 #else => 418 intl_suffix = guess_category_value(0,"LC_MESSAGES"); <=== 419 #endif Now intl_suffix points to anything. 420 debug_printf ("GUESS 1 -- intl_suffix is %s\n", intl_suffix); 421 if (strcmp(intl_suffix,"C") && strcmp(intl_suffix,"")) { 422 sprintf (message_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "messages", ^^^^^^^ ^^ 423 PATH_SLASH, intl_suffix, PATH_SLASH); ^^^^^^^^^^^ Ditto for help_path[]. --- lincity-ng-1.0.1/src/lincity/fileutil.cpp +++ lincity-ng-1.0.1-buffer/src/lincity/fileutil.cpp @@ -419,15 +419,15 @@ find_localized_paths (void) #endif debug_printf ("GUESS 1 -- intl_suffix is %s\n", intl_suffix); if (strcmp(intl_suffix,"C") && strcmp(intl_suffix,"")) { - sprintf (message_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "messages", - PATH_SLASH, intl_suffix, PATH_SLASH); + snprintf (message_path, sizeof(message_path), "%s%c%s%c%s%c", LIBDIR, + PATH_SLASH, "messages", PATH_SLASH, intl_suffix, PATH_SLASH); debug_printf ("Trying Message Path %s\n", message_path); if (directory_exists(message_path)) { debug_printf ("Set Message Path %s\n", message_path); messages_done = 1; } - sprintf (help_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "help", - PATH_SLASH, intl_suffix, PATH_SLASH); + snprintf (help_path, sizeof(help_path), "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, + "help", PATH_SLASH, intl_suffix, PATH_SLASH); debug_printf ("Trying Help Path %s\n", help_path); if (directory_exists(help_path)) { debug_printf ("Set Help Path %s\n", help_path);
it's filed in auditing, not vulnerability so games-team maybe has nothing to do yet. As this was reported as secret as possible, the bug might be confidential yet, so no commiting into portage allowed until we've more information if this is secret or not. pulling in mr_bones_ as part of the game herd.
*** Bug 102654 has been marked as a duplicate of this bug. ***
Of course, plain lincity contains the very same bugs. Yes, patch for -ng modulo minimal fuzz and different filenames applies just fine. This one is for lincity: --- lincity-1.12.1/fileutil.c +++ lincity-1.12.1-buffer/fileutil.c @@ -423,15 +423,15 @@ find_localized_paths (void) #endif debug_printf ("GUESS 1 -- intl_suffix is %s\n", intl_suffix); if (strcmp(intl_suffix,"C") && strcmp(intl_suffix,"")) { - sprintf (message_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "messages", - PATH_SLASH, intl_suffix, PATH_SLASH); + snprintf (message_path, sizeof(message_path), "%s%c%s%c%s%c", LIBDIR, + PATH_SLASH, "messages", PATH_SLASH, intl_suffix, PATH_SLASH); debug_printf ("Trying Message Path %s\n", message_path); if (directory_exists(message_path)) { debug_printf ("Set Message Path %s\n", message_path); messages_done = 1; } - sprintf (help_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "help", - PATH_SLASH, intl_suffix, PATH_SLASH); + snprintf (help_path, sizeof(help_path), "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, + "help", PATH_SLASH, intl_suffix, PATH_SLASH); debug_printf ("Trying Help Path %s\n", help_path); if (directory_exists(help_path)) { debug_printf ("Set Help Path %s\n", help_path);
lincity does not appear to install suid or sgid, therefore it doesnt look like there's any security impact here. reassigning to games team who can decide if this bug should be fixed.
Was this patch sent upstream?
Patches sent to lincity[-ng] developers.
The patch is in svn of lincity-ng. The next version will fix it.
I'm 1 of the developers of lincity-ng. I'm kinda confused about this, is this really a security problem? I mean lincity-ng isn't supposed to run suid or sgid. I'm quiet sure that the game contains alot more "vulnerabilities" like this that you can trigger by feeding the game bad data. This is very true for nearly all user applications I assume and I don't see the point in fighting such problems, is there? (I personally would recommend gentoo people to not update the package because of this as it's kinda pointless to fight buffer overflows in a game)
Matze: No, definitely not a security concern, at least on gentoo. Some vendors make games sgid, so that high scores and so on can be stored somewhere without being tampered with, but we dont do that (even so, getting gid games on one of those systems would be of limited use, you could fake a really high score or perhaps bypass fs quota restrictions or something).
All the versions in portage contain already the fix from upstream