Subject: bin/18507: rogue buffer overflow vulnerability
To: None <gnats-bugs@gnats.netbsd.org>
From: None <eravin@panix.com>
List: netbsd-bugs
Date: 10/02/2002 09:40:26
>Number:         18507
>Category:       bin
>Synopsis:       rogue buffer overflow vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 02 09:41:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Ed Ravin
>Release:        1.6
>Organization:
Public Access Networks
>Environment:
NetBSD panix5.panix.com 1.6 NetBSD 1.6 (PANIX-USER) #0: Fri Sep 13 20:17:38 EDT 2002     root@trinity.nyc.access.net:/devel/netbsd/1.6/src/sys/arch/i386/compile/PANIX-USER i386  
>Description:
A report on bugtraq and freebsd-security claims that rogue, when invoked by /usr/games/dm with setgid games, can be buffer-overflowed for privilege escalation to group games.

Author of report was stanojr@iserver.sk.


>How-To-Repeat:
Report had exploit attached.
>Fix:
Author of report claims vulnerable code is in file save.c, function
read_string.
>Release-Note:
>Audit-Trail:
>Unformatted: