Bug 26779

Summary:	app-games/netris
Product:	Gentoo Security	Reporter:	Daniel Ahlberg (RETIRED) <aliz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	games
Priority:	Highest
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Daniel Ahlberg (RETIRED) gentoo-dev

2003-08-17 00:42:00 UTC

-------------------------------------------------------------------------- 
Debian Security Advisory DSA 372-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
August 16th, 2003                       http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : netris 
Vulnerability  : buffer overflow 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2003-0685 
 
Shaun Colley discovered a buffer overflow vulnerability in netris, a 
network version of a popular puzzle game.  A netris client connecting 
to an untrusted netris server could be sent an unusually long data 
packet, which would be copied into a fixed-length buffer without 
bounds checking.  This vulnerability could be exploited to gain the 
priviliges of the user running netris in client mode, if they connect 
to a hostile netris server.

Comment 1 solar (RETIRED) gentoo-dev

2003-09-22 00:52:10 UTC

games-arcade/netris-0.5 is what is currently in portage.

The buffer overflow effects Netris 0.52 and and earlier, and possibly other versions.

I checked the netris download site to see if there was anything newer but it seems there exists none at ftp://ftp.netris.org/pub/netris/

Netris needs to be package.masked / fixed / patched / removed from portage.

Comment 2 SpanKY gentoo-dev

2003-09-23 20:11:14 UTC

0.52 with the security fixes is now in portage

Comment 3 solar (RETIRED) gentoo-dev

2003-12-10 15:12:46 UTC

changing resolution to FIXED (Not sending GLSA)