Handling security issues?
Steve Kemp
skx at debian.org
Wed Feb 8 21:50:57 UTC 2006
One of the things that initially made me interested in joining in
with the group maintainership of games was the initial message
posted to debian-devel.
This had a small section suggesting that the games-team would be
well placed to handle security issues.
Lets practise now ;)
There is an exploitable security hole in `billard-gl` which is
now contained in the team's SVN repository.
It isn't a real security risk since the game isn't installed
setuid/setgid however the code is definitely flawed.
Here is the relevent code from the file src/KommandoZeilenParameter.cpp:
void SchreibeKonfiguration(){
FILE *f;
#ifndef _WIN32
char dateiname[40];
sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
f=fopen(dateiname,"w+");
#endif
...
...
}
void LeseKonfiguration(){
FILE *f;
#ifndef _WIN32
char dateiname[40];
sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
f=fopen(dateiname,"r");
...
...
}
Both of these sections of code contain the same flaw. The copying
of the contents of the environmental variable 'HOME' into a fixed
size buffer "dateiname", without testing for overflows.
The code could be fixed by using this instead:
memset(dateiname,'\0',sizeof(dateiname));
snprintf(dateiname,sizeof(dateiname)-1,"%s/.BillardGL.conf.v7",getenv("HOME"));
So .. if this were a real security hole, how would we handle this?
Just via coordination with team at security.debian.org as normal?
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20060208/1f524e85/attachment-0001.pgp
More information about the Pkg-games-devel
mailing list