4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.2%
Steve Kemp reports (in a Debian bug submission):
Due to improper bounds checking it is possible for a
malicious user to gain a shell with membership group
‘games’. (The binary is installed setgid games).
Environmental variables are used without being bounds-checked
in any way, from the source code:
highscore.c:
/* Use the environment variable if it exists */
if ((str = getenv(“XBOING_SCORE_FILE”)) != NULL)
strcpy(filename, str);
else
strcpy(filename, HIGH_SCORE_FILE);
misc.c:
if ((ptr = getenv(“HOME”)) != NULL)
(void) strcpy(dest, ptr);
Neither of these checks are boundschecked, and will allow
arbitary shell code to be run.