Subject: NetBSD Security Advisory 2006-018: sail(6), dm(8) and tetris(6) buffer overflows
To: None <tech-security@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: tech-security
Date: 08/10/2006 21:29:01
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-018
		 =================================

Topic:		sail(6), dm(8) and tetris(6) buffer overflows

Version:	NetBSD-current:	source prior to June 01, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected

Severity:	Local privilege escalation

Fixed:		NetBSD-current:		June 01, 2006
		NetBSD-3-0 branch:	June 08, 2006
					   (3.0.1 includes the fix)
		NetBSD-3   branch:	June 08, 2006
		NetBSD-2-1 branch:	June 08, 2006
					   (2.1.1 will include the fix)
		NetBSD-2-0 branch:	June 08, 2006
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	June 08, 2006


Abstract
========

The sail, dungeon master arbiter and tetris games all contain buffer
overflows.  These programs are installed sgid games, and when
successfully exploited the vulnerabilities may allow an attacker to
elevate their privileges to the games group.

The sail vulnerability has been assigned CVE reference CVE-2006-1744.
The tetris vulnerability has been assigned CVE reference CVE-2006-1539.

Technical Details
=================

* When processing user supplied input, sail and dm do not check the 
  length of the string supplied by the user before storing it. 
* When storing user supplied input, tetris does not check the length
  of the string before storing it.
* When reading in the tetris scores file the data is not vaildated
  before it is stored.

Solutions and Workarounds
=========================

The following instructions describe how to upgrade your games binaries
by updating your source tree and rebuilding and installing a new
version of dm, sail and tetris.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2006-06-01
	should be upgraded to NetBSD-current dated 2006-06-02 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		games/dm/dm.c
		games/sail/pl_main.c
		games/tetris/scores.c

	To update from CVS, re-build, and re-install sail and dm:

		# cd src
		# cvs update -d -P games/dm/dm.c
		# cvs update -d -P games/sail/pl_main.c
		# cvs update -d -P games/tetris/scores.c
		# cd games/dm
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../sail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../tetris
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2006-06-08 should be upgraded from NetBSD 3.* sources dated
	2006-06-09 or later.

	The following files need to be updated from the
	netbsd-3 or netbsd-3-0 CVS branch:
		games/dm/dm.c
		games/sail/pl_main.c
		games/tetris/scores.c

	To update from CVS, re-build, and re-install sail and dm:

		# cd src
		# cvs update -d -P -r <branch_name> games/dm/dm.c
		# cvs update -d -P -r <branch_name> games/sail/pl_main.c
		# cvs update -d -P -r <branch_name> games/tetris/scores.c
		# cd games/dm
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../sail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../tetris
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2006-06-08 should be upgraded from NetBSD 2.* sources dated
	2006-06-09 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
		games/dm/dm.c
		games/sail/pl_main.c
		games/tetris/scores.c

	To update from CVS, re-build, and re-install sail and dm:

		# cd src
		# cvs update -d -P -r <branch_name> games/dm/dm.c
		# cvs update -d -P -r <branch_name> games/sail/pl_main.c
		# cvs update -d -P -r <branch_name> games/tetris/scores.c
		# cd games/dm
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../sail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		# cd ../tetris
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Maximillian Dornseif for notification of dm the issue.
Anibal Sacco is credited with the discovery of the sail issue.
Tavis Ormandy is credited with the discovery of the tetris issues.

Revision History
================

	2006-08-10	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-018.txt,v 1.8 2006/08/10 18:07:38 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)

iQCVAwUBRNt2Bj5Ru2/4N2IFAQLq8wP9EqP1rYwU1j2Pp8cOc/dM1Nf1GnDyMVIZ
8fk/eoQvvuPaJ4OiLG5l+fnxD0DtczX7WvFRKHCIks8mQPlpNSFpa1z1vaNO3Xxh
PTkZkkUADkWy3Z0aHmZb7MmL/cSuY2hgOab5TpThCSSlOcHfHY51QYvrJdm0rJv1
18SS1eBOpKE=
=/9Fg
-----END PGP SIGNATURE-----