"T. Freak" <tfreakat_private> writes: > Greetings, > > While a buffer overflow is blantenly obvious in the code, I don't think it > is very dangerous. Observe. Just a little history on this issue. Herbert Xu reported a bug #14553 to Debian's bug tracking system on November 5, 1997 stating that on line 848 of main.cxx, the s3 variable was too small to hold the home directory for him, which was large enough to apparently overflow the buffer. I (the Debian maintainer of the lincity packages) subsequently patched it to set s3 to (2 * PATH_MAX), unaware of the full extent of the problem. On 22 Feb 1998, I modified Debian's package to remove the setuid bit from any installed lincity executables, suspicious of just this sort of issue (that was Debian package 1.09-3, for those of you keeping score at home). Therefore, any Debian system using Debian's lincity package, version 1.09-3 or later, is not vulnerable to root attack from this bug. It seems that there is no trivial patch to this program, however. There are 17 separate occurances of code of the sort strcpy(s,getenv("HOME")) and, as far as I can tell from a quick examination, not ONE of them is copying into a large enough buffer. Additionally, there may well be many other occurances of such dangerous code with other strcpy calls, any one of which could potentially lead to a root compromise if lincity is installed setuid. Therefore, I reccommend immediately performing one of the following: 1. If you are using Debian hamm/2.0, upgrade immediately to lincity 1.09-3. 2. Otherwise, run: chmod a-s `which lincity` On Linux FHS-compliant distributions, this would be the same as: chmod a-s /usr/games/lincity chmod a-s will immediately remove any setuid bits, negating any root attack. However, the program could still be induced to dump core fairly easily I suspect, although I am not sure that such a thing is of any real danger when running as a normal unpriviledged uid. BTW, on a side note, there were also some bugs in engine.cxx relating to type conversion. Debian's package contains Herbert Xu's patch. That patch can be found via anonymous ftp at: ftp://ftp.debian.org/debian/hamm/main/source/games, filename is lincity*.diff.gz. (Note that this diff contains a lot of things not relevant outside of Debian as well; however, a quick search for engine.cxx and main.cxx out to yield the specific diffs that would be useful for any user of lincity.) To summarize, then: Debian 1.3.1 (lincity 1.03-2 or 1.09-1) is vulnerable to this issue, but only if lincity-svga is installed (find out with dpkg -s lincity-svga) and is setuid root. Debian hamm/pre-2.0 is not vulnerable unless running an outdated package from before February 22, 1998. Any hand-installed version from the author's makefile IS vulnerable, unless the setuid bit was explicitly removed. I do not know of the status of other distributions that may or may not include this game. Regards, John Goerzen -- John Goerzen Southwind Internet Access, Inc. E-mail: Business, jgoerzenat_private; Personal, jgoerzenat_private Computer Science Dept., Wichita State University, jgoerzenat_private Developer, Debian GNU/Linux <http://www.debian.org>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:00 PDT