Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 26783

Summary: app-games/xblockout
Product: Gentoo Security Reporter: Daniel Ahlberg (RETIRED) <aliz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: critical CC: games
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-17 01:04:11 UTC 
-------------------------------------------------------------------------- 
Debian Security Advisory DSA 345-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
July 8th, 2003                          http://www.debian.org/security/faq 
-------------------------------------------------------------------------- 
 
Package        : xbl 
Vulnerability  : buffer overflow 
Problem-Type   : local 
Debian-specific: no 
CVE Ids        : CAN-2003-0535 
 
Another buffer overflow was discovered in xbl, distinct from the one 
addressed in DSA-327 (CAN-2003-0451), involving the -display command 
line option.  This vulnerability could be exploited by a local 
attacker to gain gid 'games'.
Comment 1 Mr. Bones. (RETIRED) gentoo-dev 2003-08-17 04:25:05 UTC 
Unless I'm missing something, I'm pretty sure this isn't an issue on Gentoo
since xbl isn't installed setgid.

-rwxr-x---    1 games    games      163396 Aug 17 04:21 /usr/games/bin/xbl

I guess if you're running Debian you should be concerned. ;-)
Comment 2 SpanKY gentoo-dev 2003-08-17 11:32:08 UTC 
who knows maybe you can get uid games ... thats a 'semi' issue
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2003-08-17 14:32:31 UTC 
How would that be possible?  The executable isn't setuid or setgid.  Even if
there is an exploitable bug in xbl, the program isn't run with anything other
than the user's permissions and group.
Comment 4 SpanKY gentoo-dev 2003-08-17 16:50:33 UTC 
err you're right ... 
 
aliz, you can send out a GLSA but be sure to note that standard gentoo installs 
arent affected ... the only people who are affected are those who setgid on the 
binary themselves
Comment 5 solar (RETIRED) gentoo-dev 2003-09-22 01:12:02 UTC 
GLSA deadlock?
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2003-10-07 03:48:44 UTC 
resolved?
Comment 7 solar (RETIRED) gentoo-dev 2003-12-10 14:52:24 UTC 
Re: comment #3 your right, so changing resolution to INVALID