multiple buffer overflows in xboing

2003-01-01T00:00:00
ID E25566D5-6D3F-11D8-83A4-000A95BC6FAE
Type freebsd
Reporter FreeBSD
Modified 2004-03-29T00:00:00

Description

Steve Kemp reports (in a Debian bug submission):

Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games). Environmental variables are used without being bounds-checked in any way, from the source code:

highscore.c: / Use the environment variable if it exists / if ((str = getenv("XBOING_SCORE_FILE")) != NULL) strcpy(filename, str); else strcpy(filename, HIGH_SCORE_FILE);

misc.c: if ((ptr = getenv("HOME")) != NULL) (void) strcpy(dest, ptr);

Neither of these checks are boundschecked, and will allow arbitary shell code to be run.