Comment 1 Stefan Cornelius (RETIRED) 2005-08-15 14:31:37 UTC

it's filed in auditing, not vulnerability so games-team maybe has nothing to do
yet. As this was reported as secret as possible, the bug might be confidential
yet, so no commiting into portage allowed until we've more information if this
is secret or not. pulling in mr_bones_ as part of the game herd.

Comment 2 Tim Yamin (RETIRED) 2005-08-15 15:09:26 UTC

*** Bug 102654 has been marked as a duplicate of this bug. ***

Of course, plain lincity contains the very same bugs. Yes, patch for -ng modulo
minimal fuzz and different filenames applies just fine. This one is for lincity:

--- lincity-1.12.1/fileutil.c
+++ lincity-1.12.1-buffer/fileutil.c
@@ -423,15 +423,15 @@ find_localized_paths (void)
 #endif
   debug_printf ("GUESS 1 -- intl_suffix is %s\n", intl_suffix);
   if (strcmp(intl_suffix,"C") && strcmp(intl_suffix,"")) {
-    sprintf (message_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "messages",
-	     PATH_SLASH, intl_suffix, PATH_SLASH);
+    snprintf (message_path, sizeof(message_path), "%s%c%s%c%s%c", LIBDIR,
+	      PATH_SLASH, "messages", PATH_SLASH, intl_suffix, PATH_SLASH);
     debug_printf ("Trying Message Path %s\n", message_path);
     if (directory_exists(message_path)) {
       debug_printf ("Set Message Path %s\n", message_path);
       messages_done = 1;
     }
-    sprintf (help_path, "%s%c%s%c%s%c", LIBDIR, PATH_SLASH, "help",
-	     PATH_SLASH, intl_suffix, PATH_SLASH);
+    snprintf (help_path, sizeof(help_path), "%s%c%s%c%s%c", LIBDIR, PATH_SLASH,
+	      "help", PATH_SLASH, intl_suffix, PATH_SLASH);
     debug_printf ("Trying Help Path %s\n", help_path);
     if (directory_exists(help_path)) {
       debug_printf ("Set Help Path %s\n", help_path);

Comment 4 Tavis Ormandy (RETIRED) 2005-08-15 16:30:11 UTC

lincity does not appear to install suid or sgid, therefore it doesnt look like 
there's any security impact here.

reassigning to games team who can decide if this bug should be fixed.

Comment 5 Mr. Bones. (RETIRED) 2005-08-17 10:08:19 UTC

Was this patch sent upstream?

Patches sent to lincity[-ng] developers.

The patch is in svn of lincity-ng. The next version will fix it.

I'm 1 of the developers of lincity-ng. I'm kinda confused about this, is this
really a security problem? I mean lincity-ng isn't supposed to run suid or sgid.

I'm quiet sure that the game contains alot more "vulnerabilities" like this that
you can trigger by feeding the game bad data. This is very true for nearly all
user applications I assume and I don't see the point in fighting such problems,
is there?

(I personally would recommend gentoo people to not update the package because of
this as it's kinda pointless to fight buffer overflows in a game)

Comment 9 Tavis Ormandy (RETIRED) 2005-09-28 03:53:04 UTC

Matze: No, definitely not a security concern, at least on gentoo.

Some vendors make games sgid, so that high scores and so on can be stored 
somewhere without being tampered with, but we dont do that (even so, getting gid 
games on one of those systems would be of limited use, you could fake a really 
high score or perhaps bypass fs quota restrictions or something).

Comment 10 Tupone Alfredo 2006-07-28 04:46:16 UTC

All the versions in portage contain already the fix from upstream