Package: freeglut3
Version: 2.4.0-5.1
Severity: normal
Usertags: sourcescan
*** Please type your report below this line ***
The freeglut3 package contains the following code in
src/freeglut_joystick.c:
sprintf( joyfname, "%s/.joy%drc", getenv( "HOME" ), joy->id );
Here it attempts to copy the contents of $HOME into a fixed sized
buffer rendering any setuid/setgid project using the library vulnerable
to arbitary code execution.
(I'm unaware of any such program, hence the normal severity of this
bug).
As an example picked at random space-orbit links to this library, and
can be crashed via:
[EMAIL PROTECTED]:~$ cd /usr/lib/games/orbit
[EMAIL PROTECTED]:/usr/lib/games/orbit$ HOME=`perl -e 'print "X"x9999'` ./orbit
Segmentation fault
[EMAIL PROTECTED]:/usr/lib/games/orbit$
Note that the crash occurs because of freeglut3 *not* because of
a bug in the game itself...
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages freeglut3 depends on:
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libgl1-mesa-glx [libgl1] 6.5.2-5 A free implementation of the OpenG
ii libglu1-mesa [libglu1] 6.5.2-5 The OpenGL utility library (GLU)
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
freeglut3 recommends no packages.
-- no debconf information
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
