[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2009-007
Topic: Buffer overflows in hack(6)
Version: NetBSD-current: source prior to June 30, 2009
NetBSD 5.0: affected
NetBSD 4.0.1: affected
NetBSD 4.0: affected
Severity: Unprivileged local users can gain access to "games" group
Fixed: NetBSD-current: June 29, 2009
NetBSD-5 branch: June 29, 2009
(5.1 will include the fix)
NetBSD-5-0 branch: June 29, 2009
(5.0.1 will include the fix)
NetBSD-4 branch: June 29, 2009
(4.1 will include the fix)
NetBSD-4-0 branch: June 29, 2009
(4.0.2 will include the fix)
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Hack, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores and allow saved games
to be stored where they cannot be tampered with. Buffer handling
shortcomings allow arbitrary code execution with the privilege of the
"games" group, which can then be used to attack other users playing
The gethdate() function contains a stack-based buffer overflow
vulnerability that can be exploited by setting the PATH environment
The main() function contains a data-segment-based buffer overflow bug
attackable in wizard mode by the GENOCIDED environment variable; this
may be exploitable via function pointers elsewhere in the data segment.
Multiple other string handling weaknesses exist that may or may not be
attackable and may or may not be exploitable.
Solutions and Workarounds
Removing the setgid bit from /usr/games/hack is a simple and effective
workaround, although hack will not work properly without it.
For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing hack. Fixed sources may
be obtained from the NetBSD CVS repository.
Systems running NetBSD-current dated from before 2009-06-30
should be upgraded to NetBSD-current dated 2009-06-30 or later.
* NetBSD 5.0_STABLE and 5.0.0_PATCH:
The binary distribution of NetBSD 5.0 is vulnerable.
Systems running NetBSD 5.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 5.0 sources
dated 2009-06-30 or later.
NetBSD 5.0.1 and 5.1 will include the fix.
* NetBSD 4.0_STABLE and 4.0.1_PATCH:
The binary distribution of NetBSD 4.0 is vulnerable.
Systems running NetBSD 4.0 sources dated from before
2009-06-30 should be upgraded from NetBSD 4.0 sources
dated 2009-06-30 or later.
NetBSD 4.0.2 and 4.1 will include the fix.
* For all releases:
The following directories need to be updated from the
appropriate CVS branch:
To update from CVS, re-build, and re-install hack:
# cd src
# cvs update -d -P games/hack
# cd games/hack
# make USETOOLS=no cleandir obj
# make USETOOLS=no dependall install
This will select the fixes for the branch you have already
checked out in your source tree.
For more information on building (oriented towards rebuilding the
entire system, however) see:
David A. Holland found and fixed the problems.
2009-06-30 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2009, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |