Subject: NetBSD Security Advisory 2006-018: sail(6), dm(8) and tetris(6) buffer overflows
To: None <tech-security@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 08/10/2006 21:29:01
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2006-018
=================================
Topic: sail(6), dm(8) and tetris(6) buffer overflows
Version: NetBSD-current: source prior to June 01, 2006
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected
Severity: Local privilege escalation
Fixed: NetBSD-current: June 01, 2006
NetBSD-3-0 branch: June 08, 2006
(3.0.1 includes the fix)
NetBSD-3 branch: June 08, 2006
NetBSD-2-1 branch: June 08, 2006
(2.1.1 will include the fix)
NetBSD-2-0 branch: June 08, 2006
(2.0.4 will include the fix)
NetBSD-2 branch: June 08, 2006
Abstract
========
The sail, dungeon master arbiter and tetris games all contain buffer
overflows. These programs are installed sgid games, and when
successfully exploited the vulnerabilities may allow an attacker to
elevate their privileges to the games group.
The sail vulnerability has been assigned CVE reference CVE-2006-1744.
The tetris vulnerability has been assigned CVE reference CVE-2006-1539.
Technical Details
=================
* When processing user supplied input, sail and dm do not check the
length of the string supplied by the user before storing it.
* When storing user supplied input, tetris does not check the length
of the string before storing it.
* When reading in the tetris scores file the data is not vaildated
before it is stored.
Solutions and Workarounds
=========================
The following instructions describe how to upgrade your games binaries
by updating your source tree and rebuilding and installing a new
version of dm, sail and tetris.
* NetBSD-current:
Systems running NetBSD-current dated from before 2006-06-01
should be upgraded to NetBSD-current dated 2006-06-02 or later.
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
games/dm/dm.c
games/sail/pl_main.c
games/tetris/scores.c
To update from CVS, re-build, and re-install sail and dm:
# cd src
# cvs update -d -P games/dm/dm.c
# cvs update -d -P games/sail/pl_main.c
# cvs update -d -P games/tetris/scores.c
# cd games/dm
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../sail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../tetris
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 3.*:
Systems running NetBSD 3.* sources dated from before
2006-06-08 should be upgraded from NetBSD 3.* sources dated
2006-06-09 or later.
The following files need to be updated from the
netbsd-3 or netbsd-3-0 CVS branch:
games/dm/dm.c
games/sail/pl_main.c
games/tetris/scores.c
To update from CVS, re-build, and re-install sail and dm:
# cd src
# cvs update -d -P -r <branch_name> games/dm/dm.c
# cvs update -d -P -r <branch_name> games/sail/pl_main.c
# cvs update -d -P -r <branch_name> games/tetris/scores.c
# cd games/dm
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../sail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../tetris
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.*:
Systems running NetBSD 2.* sources dated from before
2006-06-08 should be upgraded from NetBSD 2.* sources dated
2006-06-09 or later.
The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
games/dm/dm.c
games/sail/pl_main.c
games/tetris/scores.c
To update from CVS, re-build, and re-install sail and dm:
# cd src
# cvs update -d -P -r <branch_name> games/dm/dm.c
# cvs update -d -P -r <branch_name> games/sail/pl_main.c
# cvs update -d -P -r <branch_name> games/tetris/scores.c
# cd games/dm
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../sail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../tetris
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Maximillian Dornseif for notification of dm the issue.
Anibal Sacco is credited with the discovery of the sail issue.
Tavis Ormandy is credited with the discovery of the tetris issues.
Revision History
================
2006-08-10 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-018.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2006-018.txt,v 1.8 2006/08/10 18:07:38 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)
iQCVAwUBRNt2Bj5Ru2/4N2IFAQLq8wP9EqP1rYwU1j2Pp8cOc/dM1Nf1GnDyMVIZ
8fk/eoQvvuPaJ4OiLG5l+fnxD0DtczX7WvFRKHCIks8mQPlpNSFpa1z1vaNO3Xxh
PTkZkkUADkWy3Z0aHmZb7MmL/cSuY2hgOab5TpThCSSlOcHfHY51QYvrJdm0rJv1
18SS1eBOpKE=
=/9Fg
-----END PGP SIGNATURE-----