multiple buffer overflows in xboing

Steve Kemp reports (in a Debian bug submission):

Due to improper bounds checking it is possible for a
malicious user to gain a shell with membership group
‘games’. (The binary is installed setgid games).
Environmental variables are used without being bounds-checked
in any way, from the source code:

highscore.c:
/* Use the environment variable if it exists */
if ((str = getenv(“XBOING_SCORE_FILE”)) != NULL)
strcpy(filename, str);
else
strcpy(filename, HIGH_SCORE_FILE);

misc.c:
if ((ptr = getenv(“HOME”)) != NULL)
(void) strcpy(dest, ptr);

Neither of these checks are boundschecked, and will allow
arbitary shell code to be run.