|Summary:||games-misc/bsd-games: tetris-bsd buffer overflows|
|Product:||Gentoo Security||Reporter:||Tavis Ormandy (RETIRED) <taviso>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Tavis Ormandy (RETIRED) 2006-02-10 10:29:12 UTC
The checkscores() function in scores.c reads in the data from the /var/games/tetris-bsd.scores file without validation. Because gentoo doesnt follow the standard setgid games policy, any user in group games can write whatever data they like to the score file. The players name is printed into a buffer using sprintf without validation, causing a classic stack overflow. On another occasion, the level is read from the file without validation, which is then used as an offset into an integer stack array and written to. While what's written cant be controlled, this could be enough to modify an ret addr enough to execute arbitrary code read from the score file. This is not a bug in bsd-games, only gentoo is vulnerable because of our group games policy.
Comment 1 Tavis Ormandy (RETIRED) 2006-02-10 10:29:36 UTC
Created attachment 79447 [details, diff] sec patch
Comment 2 Thierry Carrez (RETIRED) 2006-02-11 14:00:26 UTC
Games team, please advise.
Comment 3 Thierry Carrez (RETIRED) 2006-02-21 09:49:33 UTC
Comment 4 Tavis Ormandy (RETIRED) 2006-03-17 06:37:33 UTC
games team give permission to mask until a fix is available
Comment 5 Chris Gianelloni (RETIRED) 2006-03-17 11:06:13 UTC
New ebuild, 2.17-r1 has been added and is stable on x86. Other arches will need to test and keyword as appropriate. Sorry for the delay, I'm just now getting back into the swing of bug-fixing.
Comment 6 Tobias Scherbaum (RETIRED) 2006-03-19 13:06:52 UTC
Comment 7 Jason Wever (RETIRED) 2006-03-19 19:14:43 UTC
Comment 8 Jory A. Pratt 2006-03-29 11:02:13 UTC
Comment 9 Stefan Cornelius (RETIRED) 2006-03-29 11:22:41 UTC
GLSA 200603-26 Thanks everybody.