Bug#919589: libkxl0: Buffer-overflow with potential security issue
Emmanuel Fleury
emmanuel.fleury at u-bordeaux.fr
Thu Jan 17 16:07:51 GMT 2019
Package: libkxl0
Version: 1.1.7-16.1
Severity: important
Dear Maintainer,
I noticed this bug through geki2 and geki3 packages (both are setuid to
the 'games' user probably to write high-scores).
#> ldd $(which geki2)
linux-vdso.so.1 (0x00007ffea25df000)
libKXL.so.0 => /usr/lib/libKXL.so.0 (0x00007f183a232000) <--- Here!
libX11.so.6 => /usr/lib/x86_64-linux-gnu/libX11.so.6
...
#> gdb -q $(which geki2)
Reading symbols from /usr/games/geki2...(no debugging symbols found)...done.
(gdb) r --display $(python -c 'print("A" * 26530 + "BBBB")')
...
Program received signal SIGSEGV, Segmentation fault.
0x0000424242426a91 in ?? ()
(gdb)
So, as the '42424242' says it, I can control four bytes of the rip
address with this flaw.
Same occurs with geki3.
I did not try very hard to see if I could do something with it, but I
suspect that I can exploit this to perform some privilege escalation.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libkxl0 depends on:
ii libc6 2.28-5
ii libx11-6 2:1.6.7-1
libkxl0 recommends no packages.
libkxl0 suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20190117/eac9b59c/attachment.sig>
More information about the Pkg-games-devel
mailing list