Bug#290706: buffer overflows from HOME env-var or .bumprace file

Sat, 15 Jan 2005 19:39:11 -0800 

Subject: buffer overflows from HOME env-var or .bumprace file
Package: bumprace
Version: 1.4.6-2
Severity: normal
Tags: patch

Hello,

I have found two buffer overflows in bumprace.

One occurs when the HOME environment variable has a value of about 256
bytes. The other occurs when the ~/.bumprace file has very long lines.

Both buffer overflows give you full control over the EIP register. They
would be exploitable security problems if bumprace was setuid or setgid
something. It isn't, but I think this type of bug should fixed anyway
to avoid irritating crashes.

I have attached a patch, as well as a ~/.bumprace file that exhibits
the second problem. ( To test the first problem, just do a  HOME=`perl
-e 'print "U" x 256;'` bumprace -w )

// Ulf Harnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages bumprace depends on:
ii  bumprace-da 1.4.6-2                      Data files for bumprace
ii  libc6       2.3.2.ds1-20                 GNU C Library: Shared libraries an
ii  libjpeg62   6b-9                         The Independent JPEG Group's JPEG 
ii  libpng12-0  1.2.8rel-1                   PNG library - runtime
ii  libsdl-mixe 1.2.5-9                      mixer library for Simple DirectMed
ii  libsdl1.2de 1.2.7+1.2.8cvs20041007-3.0.1 Simple DirectMedia Layer
ii  zlib1g      1:1.2.2-3                    compression library - runtime

-- no debconf information


--- src/options.c.old	2003-07-21 18:03:46.000000000 +0200
+++ src/options.c	2005-01-16 03:12:21.000000000 +0100
@@ -10,7 +10,7 @@ FILE *OpenOptionsFile( char *mode )
     FILE *file;
     
     if ((char *)getenv("HOME") != NULL)
-	sprintf( filename, "%s/.bumprace", getenv("HOME"));
+	snprintf( filename, sizeof(filename), "%s/.bumprace", getenv("HOME"));
     else
 	sprintf( filename, "bumprace.dat");
 
@@ -52,7 +52,7 @@ void ReadOptions()
 
     fscanf(file, "%*s%*s%*s%*s\n");
     for (i=0;i<10;i++)
-	fscanf(file, "%[^\n]\n",&Player[i]);
+	fscanf(file, "%199[^\n]\n",&Player[i]);
     for (i=0;i<10;i++)
 	fscanf(file, "%d\n",&Hiscore[i]);
 //    for (i=0;i<10;i++)

Attachment: .bumprace
Description: Binary data

Reply via email to