Subject: bin/5970: [PATCH] Security of NetBSD games 2
To: None <gnats-bugs@gnats.netbsd.org>
From: Joseph Myers <jsm@octomino.demon.co.uk>
List: netbsd-bugs
Date: 08/14/1998 17:26:16
>Number: 5970
>Category: bin
>Synopsis: [PATCH] Security of NetBSD games 2
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 14 10:35:01 1998
>Last-Modified:
>Originator: Joseph Samuel Myers
>Organization:
Trinity College, University of Cambridge, UK
>Release: NetBSD-current of 1998-07-27
>Environment:
[
System: Linux octomino 2.0.35 #1 Wed Aug 12 15:54:21 UTC 1998 i586 unknown
Architecture: i586
]
>Description:
This patch fixes the security issues described in PR bin/5945 for more
games: battlestar, bcd, boggle, caesar. As with the previous patch it
is derived from OpenBSD. This patch can be applied independently of
the previous patch.
>How-To-Repeat:
>Fix:
diff -ruN netbsd/battlestar/battlestar.c netbsd+security/battlestar/battlestar.c
--- netbsd/battlestar/battlestar.c Sat Oct 11 11:50:04 1997
+++ netbsd+security/battlestar/battlestar.c Thu Aug 13 13:26:05 1998
@@ -66,6 +66,9 @@
char mainbuf[LINELENGTH];
char *next;
+ /* Open the score file then revoke setgid privileges */
+ open_score_file();
+ setregid(getgid(), getgid());
initialize(argc < 2 || strcmp(argv[1], "-r"));
start:
news();
diff -ruN netbsd/battlestar/com6.c netbsd+security/battlestar/com6.c
--- netbsd/battlestar/com6.c Tue Oct 14 11:09:14 1997
+++ netbsd+security/battlestar/com6.c Thu Aug 13 13:28:55 1998
@@ -105,11 +105,20 @@
exit(0);
}
+static FILE *score_fp;
+
+void
+open_score_file()
+{
+ score_fp = fopen(_PATH_SCORE, "a");
+ if (score_fp == NULL)
+ warn("open %s for append", _PATH_SCORE);
+}
+
void
post(ch)
char ch;
{
- FILE *fp;
struct timeval tv;
time_t tvsec;
char *date;
@@ -122,17 +131,16 @@
tvsec = (time_t) tv.tv_sec;
date = ctime(&tvsec);
date[24] = '\0';
- if ((fp = fopen(_PATH_SCORE, "a")) != NULL) {
- fprintf(fp, "%s %8s %c%20s", date, uname, ch, rate());
+ if (score_fp != NULL) {
+ fprintf(score_fp, "%s %8s %c%20s", date, uname, ch, rate());
if (wiz)
- fprintf(fp, " wizard\n");
+ fprintf(score_fp, " wizard\n");
else
if (tempwiz)
- fprintf(fp, " WIZARD!\n");
+ fprintf(score_fp, " WIZARD!\n");
else
- fprintf(fp, "\n");
- } else
- warn("fopen %s", _PATH_SCORE);
+ fprintf(score_fp, "\n");
+ }
sigprocmask(SIG_SETMASK, &osigset, (sigset_t *) 0);
}
diff -ruN netbsd/battlestar/extern.h netbsd+security/battlestar/extern.h
--- netbsd/battlestar/extern.h Sun Mar 29 12:13:46 1998
+++ netbsd+security/battlestar/extern.h Thu Aug 13 13:26:26 1998
@@ -340,6 +340,7 @@
void news __P((void));
void newway __P((int));
void notarget __P((void));
+void open_score_file __P((void));
void parse __P((void));
void post __P((char));
void printobjs __P((void));
diff -ruN netbsd/bcd/bcd.c netbsd+security/bcd/bcd.c
--- netbsd/bcd/bcd.c Fri Oct 10 11:22:48 1997
+++ netbsd+security/bcd/bcd.c Thu Aug 13 13:30:14 1998
@@ -85,6 +85,7 @@
#include <stdio.h>
#include <string.h>
#include <ctype.h>
+#include <unistd.h>
u_short holes[256] = {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
@@ -135,6 +136,9 @@
char **argv;
{
char cardline[80];
+
+ /* revoke setgid privileges */
+ setregid(getgid(), getgid());
/*
* The original bcd prompts with a "%" when reading from stdin,
diff -ruN netbsd/boggle/boggle/bog.c netbsd+security/boggle/boggle/bog.c
--- netbsd/boggle/boggle/bog.c Sat Oct 11 11:50:39 1997
+++ netbsd+security/boggle/boggle/bog.c Thu Aug 13 13:30:52 1998
@@ -132,6 +132,9 @@
int ch, done, i, selfuse, sflag;
char *bspec, *p;
+ /* revoke setgid privileges */
+ setregid(getgid(), getgid());
+
seed = 0;
batch = debug = reuse = selfuse = sflag = 0;
bspec = NULL;
diff -ruN netbsd/caesar/caesar.c netbsd+security/caesar/caesar.c
--- netbsd/caesar/caesar.c Sat Oct 11 11:50:55 1997
+++ netbsd+security/caesar/caesar.c Thu Aug 13 13:31:29 1998
@@ -92,6 +92,9 @@
char *inbuf;
int obs[26], try, winner;
+ /* revoke setgid privileges */
+ setregid(getgid(), getgid());
+
winnerdot = 0;
if (argc > 1)
printit(argv[1]);
>Audit-Trail:
>Unformatted: