Re: RFS: atris - Alizarin Tetris

To: debian-mentors@lists.debian.org
Subject: Re: RFS: atris - Alizarin Tetris
From: Steve Kemp <skx@debian.org>
Date: Mon, 5 Jul 2004 21:04:44 +0100
Message-id: <[🔎] 20040705200444.GA12057@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] 20040705191421.GA14038@penguin.localdomain>
References: <[🔎] 20040705191421.GA14038@penguin.localdomain>

On Mon, Jul 05, 2004 at 09:14:21PM +0200, Marcel Sebek wrote:

> I've packaged atris - Alizarin Tetris. It is available at
> mentors.debian.net in two packages: atris and atris-sounds. I'm
> searching a sponsor who will upload it.
> Any comments are welcome.

  Please consider applying the attached patch.  This
 protects against two (identical) buffer overflows allowing
 a local gid(games) attack.

  It's always worth checking over the source to any binaries
 you want to install setgid/setuid.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit

--- atris.c-orig	2004-07-05 21:00:47.000000000 +0100
+++ atris.c	2004-07-05 21:01:22.000000000 +0100
@@ -929,7 +929,8 @@
 #else
     {
 	char filespec[2048];
-	sprintf(filespec,"%s/.atrisrc", getenv("HOME"));
+	memset(filespec,'\0',sizeof(filespec));
+	snprintf(filespec,sizeof(filespec)-1,"%s/.atrisrc", getenv("HOME"));
 	load_options(filespec);
     }
 #endif
@@ -1124,7 +1125,8 @@
 #else
     {
 	char filespec[2048];
-	sprintf(filespec,"%s/.atrisrc", getenv("HOME"));
+	memset(filespec,'\0',sizeof(filespec));
+	snprintf(filespec,sizeof(filespec)-1,"%s/.atrisrc", getenv("HOME"));
 	save_options(filespec);
     }
 #endif

Reply to:

Follow-Ups:
- Re: RFS: atris - Alizarin Tetris
  - From: sebek64@post.cz (Marcel Sebek)

References:
- RFS: atris - Alizarin Tetris
  - From: sebek64@post.cz (Marcel Sebek)

Prev by Date: RFS: atris - Alizarin Tetris
Next by Date: Re: RFS: rlplot - generate publication quality graphs
Previous by thread: RFS: atris - Alizarin Tetris
Next by thread: Re: RFS: atris - Alizarin Tetris
Index(es):
- Date
- Thread