xmille crashes with sigsegv when a large save filename is specified, due to overflow of a stack buffer of size 80. This will lead to overwrite of the saved return address and allow arbitrary code execution. this error occurs in save.c save() { reg char *sp; reg int outf; reg Time *tp; char buf[80]; -> fixed size stack buffer Time tme; Stat junk; tp = &tme; if (Fromfile && getyn("Same file? ")) -> unsafe strcpy strcpy(buf, Fromfile); else { strcpy (buf, GetpromptedInput ("file: ")); -> unsafe strcpy sp = buf + strlen (buf); } additionally there are some other places in the code where strcpy is being used possibly unsafely. Also there seem to be some format string bugs due to passing of unsafe format strings to the function Error() in ui.c For example giving a savefile name of %n will crash xmille with a SIGSEGV and may allow overwriting of arbitrary locations in the stack to modify program execution flow. However in my gentoo box xmille isn't suid nor setgid games, so the bugs aren't critical.
Fix is in 2.0-r1, which is x86 stable. This is GLSA-ready.
Rereading the bug, I don't think this can be exploited (no network connection, runs under local user rights). If someone else confirms, we'll close this one without GLSA. -K
yep, there is no issue of exploits on a Gentoo system