Hi, From [1] : Multiple games in the BSD-games package are prone to locally exploitable buffer-overflow vulnerabilities. These issues are due to insufficient bounds-checking when copying user-supplied input to insufficiently sized memory buffers. Tetris buffer overflow was corrected (see bug #122399 and [2] ). Here is the same kind of vuln with the same severity. A buffer overflow was found is the gaim "sail" , pl_main.c : char buf[10]; printf("\nInitial broadside %s (grape, chain, round, double): ", n ? "right" : "left"); fflush(stdout); scanf("%s", buf); You can use it to write arbitrary data in the score files. Debian [3] has fixed (2004-04-06) several non-exploitable 'scanf' buffer overflows in the game "dm". There may be other overflows in some games. [1] http://www.securityfocus.com/bid/17401 [2] Tetris overflow : http://www.securityfocus.com/bid/17308 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360989 (more : http://www.pulltheplug.org/fu/?q=node/56 )
Created attachment 84316 [details, diff] Patch from debian for overflows in sail and dm games
*** Bug 129686 has been marked as a duplicate of this bug. ***
There are also boundary errors with player names, as described here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360989
mitre.org adds "execution of arbitrary code" in sail. No fix available AFAIK.
Given our very peculiar way of handling group games, not sure the "code execution" thing affects us. Tavis ?
it's a bug, but as you dont need any special permissions to alter the score file on gentoo (at the moment), it's not a security issue, all you can do is crash the game. If you could execute code via the score file, that would be a security issue. reassigning to games team.
Debian has emitted a DSA for this, and CVE-2006-1744 mentions "arbitrary code execution". I Cc: myself.
we're using the debian patch so I don't think we're affected.
now yes. It's ok. Thanks