Debian Bug report logs -
#361160
tetris-bsd reads high score info insecurely
Reported by: Joey Hess <joeyh@debian.org>
Date: Thu, 6 Apr 2006 23:03:14 UTC
Severity: normal
Tags: security
Found in version bsdgames/2.17-5
Fixed in version 2.17-6
Done: Joey Hess <joeyh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#361160; Package bsdgames.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bsdgames
Version: 2.17-5
Tags: security
Severity: normal
http://bugs.gentoo.org/show_bug.cgi?id=122399 for details, this is
CVE-2006-1539
The players name is printed into a buffer using sprintf without validation,
causing a classic stack overflow. On another occasion, the level is read from
the file without validation, which is then used as an offset into an integer
stack array and written to. While what's written cant be controlled, this could
be enough to modify an ret addr enough to execute arbitrary code read from the
score file.
Note that Debian is not as prone to exploit as gentoo, since they
apparently have regular users in group games. However, this is still a
bug in bsdgames and can still contribute to exploits: If some other game
is exploited and an attacker gains group games then they can use this
bug to take over accounts that run tetris-bsd.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages bsdgames depends on:
ii libc6 2.3.6-4 GNU C Library: Shared libraries an
ii libgcc1 1:4.1.0-1 GCC support library
ii libncurses5 5.5-1 Shared libraries for terminal hand
ii libstdc++6 4.1.0-1 The GNU Standard C++ Library v3
ii miscfiles [wordlist] 1.4.2.dfsg.1-1 Dictionaries and other interesting
ii wamerican [wordlist] 6-2 American English dictionary words
ii wbritish [wordlist] 6-2 British English dictionary words f
bsdgames recommends no packages.
-- no debconf information
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 361160-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.17-6
This was patched last year, but I forgot the bug number in the
changelog.
--
see shy jo
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 02:34:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:17:46 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon