-------------------------------------------------------------------------- Debian Security Advisory DSA 334-1 security@debian.org http://www.debian.org/security/ Matt Zimmerman June 28th, 2003 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : xgalaga Vulnerability : buffer overflows Problem-Type : local Debian-specific: no CVE Ids : CAN-2003-0454 Steve Kemp discovered several buffer overflows in xgalaga, a game, which can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'.
xgalaga has not setuid flag by default. If it's still vulnerable, it can't give elevtaed privileges.
yeah, we're not vulnerable, but i'd still like to add a patch if one exists in other words, we dont need a GLSA, we just want a patch ;)
i see that there's already a patch for that vuln... if((home = getenv("HOME"))) { - sprintf(my_file_name, "%s/.xgalscores", home); [...] + snprintf(my_file_name, sizeof(my_file_name)-1, "%s/.xgalscores", home); in the diff that is download with xgalaga. So we don't need a patch :)
excellent :)
