Security-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2010-009: Privilege Handling Errors in larn

Hash: SHA1

                 NetBSD Security Advisory 2010-009

Topic:          Privilege Handling Errors In larn

Version:        NetBSD-current: source prior to February 3, 2008
                NetBSD 5.0.2:           not affected
                NetBSD 5.0:             not affected
                NetBSD 4.0.1:           not affected
                NetBSD 4.0:             affected

Severity:       Unprivileged Local Users Can Gain Access To "games" Group

Fixed:          NetBSD-current:         Feb 3, 2008
                NetBSD-4 branch:        Feb 3, 2008 (4.1 would include the fix)
                NetBSD-4-0 branch:      Feb 3, 2008 (4.0.1 includes the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Larn, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores. Properly, only
accesses to these objects should be made using the privileges of the
"games" group. However, due to improper privilege handling, the game
always runs with the privileges of the "games" group, opening up a
number of possible ways to allow an unprivileged user to gain improper
access to that group.

There is also an additional problem fixed by the same patch set: when
one wins larn, it sends the user junk mail. This junk mail is prepared
in insecure temporary files. It is likely impractical to use this to
attack another user who is playing larn; however, it might be possible
upon winning larn oneself to exploit it to gain access to the "games"

Technical Details

When games were changed from setuid to setgid (circa 1997) larn was
never updated to switch group IDs instead of user IDs. This meant that
when it tried to drop to a lower privilege level, nothing happened.
Thus the game always runs with access to the games group, and a number
of possible actions (most notably, writing out save files) are done
with access to the games group.

Save files can thus be written into /var/games, possibly overwriting
or damaging files belonging to other games. This creates the
possibility that ordinarily-harmless weaknesses in other games might
be exploited to gain a shell with access to group games. It also
allows denial of service against other games.

Larn also has the ability to start a sub-shell, but it always runs
/bin/csh, which under NetBSD refuses to start when setgid. It is
believed that this path is not exploitable.

Solutions and Workarounds

Removing the setgid bit from /usr/games/larn is a simple and effective
workaround, although larn will not work properly without it.

For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing larn.

The fixed sources may be obtained from the NetBSD CVS repository.

The fixes for this vulnerability are contained in the following file
revisions for each CVS branch:

  CVS branch    file                                    revision
  ------------- ----------------                        -----------
  HEAD          src/games/larn/bill.c                   1.9
  HEAD          src/games/larn/header.h                 1.18
  HEAD          src/games/larn/main.c                   1.21
  HEAD          src/games/larn/scores.c                 1.16

  netbsd-4      src/games/larn/bill.c         
  netbsd-4      src/games/larn/header.h       
  netbsd-4      src/games/larn/main.c         
  netbsd-4      src/games/larn/scores.c       

  netbsd-4-0    src/games/larn/bill.c         
  netbsd-4-0    src/games/larn/header.h       
  netbsd-4-0    src/games/larn/main.c         
  netbsd-4-0    src/games/larn/scores.c       

The following instructions briefly summarize how to update and
recompile larn. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install larn:

        # cd src
        # cvs update -d -P -r BRANCH FILES
        # cd games/larn
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

Thanks To

David A. Holland, who found and fixed the problem.

Revision History

        2010-10-21      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-009.txt,v 1.1 2010/10/21 09:02:57 tonnerre Exp $

Version: GnuPG v1.4.10 (NetBSD)


Home | Main Index | Thread Index | Old Index