Ulf Harnhammar (the first 'a' has two dots over it, but I don't know how to make those) found a few buffer overflows for the Debian Audit Project. He's provided a patch. Games, can you patch this one?
This isn't a security issue. Please tone down this bug to normal and assign it to the games team for normal processing.
Whoops. I just assumed that it was from it being from Ulf. My fault.
Well, it's a very small security issue. // Ulf
Right. I hadn't bothered to check the patch before (oops!). The env variable issue I wouldn't ordinarily worry about so much (as it's unlikely that anyone can set another user's vars), but there is also an issue where someone who can write to the high scores file can cause an overflow. This is low priority, but it IS a security issue. Technically, it's a B2, though a relatively low severity one. Nonetheless, I'm going to reassign to security so that they can issue a GLSA, if they desire. (sorry for the back and forth.)
added the patch to cvs, rev bumped, and removed the old version. Proceed with the glsa at your pleasure.
Security, please vote on GLSA.
OK, so is it (1) every rockdodger user share the same writeable highscore file and so could trigger an overflow by writing something malicious in that file and having another user view it ? Or (2) all users have separate highscore files so this would only be restricted to the same user ? If this is (1) it could be worth a GLSA, but if this is (2) it's not worth it...
It's (1) which is why I fixed is so fast. (2) I probably would have ignored.
So it's a B4 (B2 needs a remote attacker, B1 needs root escalation): Local user may be able to execute code with the rights of another user. I sure hope root doesn't play rockdodger. Security, please vote.
I vote for no GLSA on this one.
Does the use of "dogamesbin" mean that rockdodger is setgid games on Gentoo? If it is, the environment variable bug can be exploited to gain a gid games shell. If it's not setgid or setuid anything, that part is just a crash bug. (I don't run Gentoo yet, and I found the eclass stuff a bit hard to follow, so I had to ask..) // Ulf
no it's not setuid or setgid. Only the highscore part of the bug is a concern.
I vote no glsa.
Closed as a silent fix. Thx Ulf and keep up the good work :)