Subject: exploitable buffer overflow from ltris.hscr Package: ltris Version: 1.0.6-1 Severity: important Tags: security patch
Hello, I have found an exploitable buffer overflow in ltris. If an attacker can figure out a way to write to /var/games/ltris.hscr, a buffer overflow will occur when a victim starts ltris, allowing the attacker to run code with the uid of the victim and gid games (as ltris is installed setgid games). I have attached a patch and a ltris.hscr file that causes this problem. I have Cc'ed the upstream developer, as the latest upstream version has this bug as well. // Ulf Harnhammar -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages ltris depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libsdl-mixer1.2 1.2.5-9 mixer library for Simple DirectMed ii libsdl1.2debian 1.2.7+1.2.8cvs20041007-4 Simple DirectMedia Layer -- no debconf information
--- src/chart.c.old 2002-01-12 12:47:18.000000000 +0100 +++ src/chart.c 2005-01-21 21:43:46.000000000 +0100 @@ -134,7 +134,7 @@ int chart_load_from_path( char *path ) if ( aux[0] != '>' ) break; chart = calloc( 1, sizeof( Set_Chart ) ); /* get name: >>>name */ - fscanf( file, ">>>%s\n", setname ); + fscanf( file, ">>>%1023s\n", setname ); chart->name = strdup( setname ); /* entries */ chart_read_entries( file, file_name, chart );
ltris.hscr
Description: Binary data
