NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2009-007: Buffer overflows in hack(6)

Hash: SHA1

                 NetBSD Security Advisory 2009-007

Topic:          Buffer overflows in hack(6)

Version:        NetBSD-current: source prior to June 30, 2009
                NetBSD 5.0:             affected
                NetBSD 4.0.1:           affected
                NetBSD 4.0:             affected

Severity:       Unprivileged local users can gain access to "games" group

Fixed:          NetBSD-current:         June 29, 2009
                NetBSD-5 branch:        June 29, 2009
                        (5.1 will include the fix)
                NetBSD-5-0 branch:      June 29, 2009
                        (5.0.1 will include the fix)
                NetBSD-4 branch:        June 29, 2009
                        (4.1 will include the fix)
                NetBSD-4-0 branch:      June 29, 2009
                        (4.0.2 will include the fix)

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Hack, a "rogue-like" game, is installed setgid to the "games" group
to allow access to shared data and high scores and allow saved games
to be stored where they cannot be tampered with. Buffer handling
shortcomings allow arbitrary code execution with the privilege of the
"games" group, which can then be used to attack other users playing

Technical Details

The gethdate() function contains a stack-based buffer overflow
vulnerability that can be exploited by setting the PATH environment

The main() function contains a data-segment-based buffer overflow bug
attackable in wizard mode by the GENOCIDED environment variable; this
may be exploitable via function pointers elsewhere in the data segment.

Multiple other string handling weaknesses exist that may or may not be
attackable and may or may not be exploitable.

Solutions and Workarounds

Removing the setgid bit from /usr/games/hack is a simple and effective
workaround, although hack will not work properly without it.

For all affected NetBSD versions, the proper fix requires obtaining
updated sources, and rebuilding and installing hack. Fixed sources may
be obtained from the NetBSD CVS repository.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-06-30
        should be upgraded to NetBSD-current dated 2009-06-30 or later.

* NetBSD 5.0_STABLE and 5.0.0_PATCH:

        The binary distribution of NetBSD 5.0 is vulnerable.

        Systems running NetBSD 5.0 sources dated from before
        2009-06-30 should be upgraded from NetBSD 5.0 sources
        dated 2009-06-30 or later.

        NetBSD 5.0.1 and 5.1 will include the fix.

* NetBSD 4.0_STABLE and 4.0.1_PATCH:

        The binary distribution of NetBSD 4.0 is vulnerable.

        Systems running NetBSD 4.0 sources dated from before
        2009-06-30 should be upgraded from NetBSD 4.0 sources
        dated 2009-06-30 or later.

        NetBSD 4.0.2 and 4.1 will include the fix.

* For all releases:

        The following directories need to be updated from the
        appropriate CVS branch:

        To update from CVS, re-build, and re-install hack:
                # cd src
                # cvs update -d -P games/hack
                # cd games/hack

                # make USETOOLS=no cleandir obj
                # make USETOOLS=no dependall install

        This will select the fixes for the branch you have already
        checked out in your source tree.

For more information on building (oriented towards rebuilding the
entire system, however) see:

Thanks To

David A. Holland found and fixed the problems.

Revision History

        2009-06-30      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2009, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2009-007.txt,v 1.1 2009/06/30 18:48:33 tonnerre Exp $

Version: GnuPG v1.4.9 (NetBSD)


Home | Main Index | Thread Index | Old Index