Bug#290822: billard-gl: buffer overflows in $HOME and conf-file

Sun, 16 Jan 2005 16:08:17 -0800 

Subject: billard-gl: buffer overflows in $HOME and conf-file
Package: billard-gl
Version: 1.75-6
Severity: normal
Tags: patch

Hello,

I have found two types of buffer overflows in billard-gl.

One occurs when the HOME environment variable has a value of about 80
bytes. The other occurs when the ~/.BillardGL.conf.v7 file has very long
lines.

The overflows would be exploitable security problems if billard-gl was
setuid or setgid something. It isn't, but I think this type of bug should
be fixed anyway to avoid irritating crashes.

I have attached a patch, as well as a ~/.BillardGL.conf.v7 file that
exhibits the second problem. ( To test the first problem, just do a:
HOME=`perl -e 'print "U" x 80;'` billard-gl )

The patch also changes the size of two char arrays from 40 to 512. The arrays
contain the value of $HOME plus "/.BillardGL.conf.v7", so I thought that 40
bytes might not be enough.

// Ulf Harnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages billard-gl depends on:
ii  freeglut3 [libglut3]     2.2.0-8         OpenGL Utility Toolkit
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libgcc1                  1:3.4.3-6       GCC support library
ii  libglut3                 3.7-25          the OpenGL Utility Toolkit
ii  libstdc++5               1:3.3.5-5       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxi6                   4.3.0.dfsg.1-10 X Window System Input extension li
ii  libxmu6                  4.3.0.dfsg.1-10 X Window System miscellaneous util
ii  xlibmesa-gl [libgl1]     4.3.0.dfsg.1-10 Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu [libglu1]   4.3.0.dfsg.1-10 Mesa OpenGL utility library [XFree
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu

-- no debconf information


--- src/KommandoZeilenParameter.cpp.old	2002-04-23 18:04:13.000000000 +0200
+++ src/KommandoZeilenParameter.cpp	2005-01-16 22:09:38.000000000 +0100
@@ -8,8 +8,8 @@
 void SchreibeKonfiguration(){
   FILE *f;
 #ifndef _WIN32
-  char dateiname[40];
-  sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
+  char dateiname[512];
+  snprintf(dateiname,sizeof(dateiname),"%s/.BillardGL.conf.v7",getenv("HOME"));
   f=fopen(dateiname,"w+");
 #endif
 #ifdef _WIN32
@@ -65,8 +65,8 @@ void SchreibeKonfiguration(){
 void LeseKonfiguration(){
   FILE *f;
 #ifndef _WIN32
-  char dateiname[40];
-  sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
+  char dateiname[512];
+  snprintf(dateiname,sizeof(dateiname),"%s/.BillardGL.conf.v7",getenv("HOME"));
   f=fopen(dateiname,"r");
 #endif
 #ifdef _WIN32
@@ -95,9 +95,9 @@ void LeseKonfiguration(){
     fscanf(f,"%i",&GrueneLampe);
     fscanf(f,"%f",&EffektLautstaerke);
     fscanf(f,"%f",&MusikLautstaerke);
-    fscanf(f,"%s",Spieler1temp);
-    fscanf(f,"%s",Spieler2temp);
-    fscanf(f,"%s",NetzwerkSpielertemp);
+    fscanf(f,"%9s",Spieler1temp);
+    fscanf(f,"%9s",Spieler2temp);
+    fscanf(f,"%9s",NetzwerkSpielertemp);
     for (int i=0;i<10;i++) {
       if (Spieler1temp[i]=='%') {
 	Spieler1[i]=' ';

Attachment: .BillardGL.conf.v7
Description: Binary data

Reply via email to