Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 122399

Summary: games-misc/bsd-games: tetris-bsd buffer overflows
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: games
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
sec patch none

Description Tavis Ormandy (RETIRED) gentoo-dev 2006-02-10 10:29:12 UTC 
The checkscores() function in scores.c reads in the data from the /var/games/tetris-bsd.scores file without validation. Because gentoo doesnt follow the standard setgid games policy, any user in group games can write whatever data they like to the score file.

The players name is printed into a buffer using sprintf without validation, causing a classic stack overflow. On another occasion, the level is read from the file without validation, which is then used as an offset into an integer stack array and written to. While what's written cant be controlled, this could be enough to modify an ret addr enough to execute arbitrary code read from the score file.

This is not a bug in bsd-games, only gentoo is vulnerable because of our group games policy.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-10 10:29:36 UTC 
Created attachment 79447 [details, diff]
sec patch
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-02-11 14:00:26 UTC 
Games team, please advise.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 09:49:33 UTC 
Late.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-03-17 06:37:33 UTC 
games team give permission to mask until a fix is available
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2006-03-17 11:06:13 UTC 
New ebuild, 2.17-r1 has been added and is stable on x86.  Other arches will need to test and keyword as appropriate.  Sorry for the delay, I'm just now getting back into the swing of bug-fixing.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-19 13:06:52 UTC 
ppc stable
Comment 7 Jason Wever (RETIRED) gentoo-dev 2006-03-19 19:14:43 UTC 
SPARC'd
Comment 8 Jory A. Pratt 2006-03-29 11:02:13 UTC 
AMD64 stable.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 11:22:41 UTC 
GLSA 200603-26

Thanks everybody.