Home page logo
/

bugtraq logo Bugtraq mailing list archives

NetBSD Security Advisory 2002-021: rogue vulnerability
From: NetBSD Security Officer <security-officer () netbsd org>
Date: Tue, 08 Oct 2002 14:28:18 +0900

-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2002-021
                 =================================

Topic:          rogue vulnerability

Version:        NetBSD-current: source prior to October 2, 2002
                NetBSD 1.6:     affected
                NetBSD-1.5.3:   affected
                NetBSD-1.5.2:   affected
                NetBSD-1.5.1:   affected
                NetBSD-1.5:     affected

Severity:       Local user can elevate privileges to group "games"

Fixed:          NetBSD-current:         October 2, 2002
                NetBSD-1.6 branch:      October 3, 2002
                                        (1.6.1 will include the fix)
                NetBSD-1.5 branch:      October 3, 2002


Abstract
========

There are several buffer overflows in the processing of saved games
when restarting rogue(6), that allow one to obtain group "games."


Technical Details
=================

When rogue(6) saves a game for later, it writes a string length with
each string in the save file.  When re-reading the file for continuing
the game, this value was used unbounded when reading the string,
allowing a hand-crafted save file to overflow a buffer.

All read operations from the save file are now correctly bounded.


Solutions and Workarounds
=========================

The easiest solution to this problem is to simply remove the set-gid
bit from rogue(6):

        # chmod g-s /usr/games/rogue

This only impacts rogue's ability to save scores.


The following instructions describe how to upgrade your rogue(6)
binaries by updating your source tree and rebuilding and
installing a new version of rogue(6).

* NetBSD-current:

        Systems running NetBSD-current dated from before 2002-10-02
        should be upgraded to NetBSD-current dated 2002-10-02 or later.

        The following directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                games/rogue

        To update from CVS, re-build, and re-install rogue(6):
                # cd src
                # cvs update -d -P games/rogue
                # cd games/rogue

                # make cleandir dependall
                # make install


* NetBSD 1.6:

        Systems running NetBSD 1.6 sources dated from before
        2002-10-03 should be upgraded from NetBSD 1.6 sources dated
        2002-10-03 or later.

        NetBSD 1.6.1 will include the fix.

        The following directories need to be updated from the
        netbsd-1-6 CVS branch:
                games/rogue

        To update from CVS, re-build, and re-install rogue(6):

                # cd src
                # cvs update -d -P -r netbsd-1-6 games/rogue
                # cd games/rogue

                # make cleandir dependall
                # make install


        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA20020-021-rogue.patch

        To patch, re-build and re-install rogue(6):

                # cd src/games/rogue
                # patch < /path/to/SA20020-021-rogue.patch

                # make cleandir dependall
                # make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

        Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
        from before 2002-10-03 should be upgraded from NetBSD 1.5.*
        sources dated 2002-10-03 or later.

        The following directories need to be updated from the
        netbsd-1-5 CVS branch:
                games/rogue

        To update from CVS, re-build, and re-install rogue(6):

                # cd src
                # cvs update -d -P -r netbsd-1-5 games/rogue
                # cd games/rogue

                # make cleandir dependall
                # make install


        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA20020-021-rogue.patch

        To patch, re-build and re-install rogue(6):

                # cd src/games/rogue
                # patch < /path/to/SA20020-021-rogue.patch

                # make cleandir dependall
                # make install


Thanks To
=========

stanojr for reporting this problem, matthew green for providing a solution
and Simon Burge for helping test the solution.


Revision History
================

        2002-10-08      Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-021.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-021.txt,v 1.7 2002/10/08 03:43:35 itojun Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPaJUZz5Ru2/4N2IFAQEGqAP+KPqDJtYlSlECwS2XVlS4YGgJQUKM606p
UX8Rwzt0BMcBAO60HedJrWwJCY6xdcvp0s6SKuHe+o1Cb4Sf5Q/b0z2U4nW+UTtV
+P3WEU15O//23v6dgWy8ePxqAlnnx3LvU9fFwbkqheUnyPsyDEaM9izsr9J8/p6L
vIf3dolEhTA=
=Rtnl
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • NetBSD Security Advisory 2002-021: rogue vulnerability NetBSD Security Officer (Oct 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]