Bug#278777: xsok: unfixed buffer overflow (CAN-2004-0074)
Frank Lichtenheld wrote:
Hmm, the patch from the DSA is included in the package... Or do you
mean that the patch is flawed?
Do you mean DSA-405-1 (http://lwn.net/Articles/64725/)? That DSA
is refering to CAN-2003-0949, which indeed seems to be fixed, but
CAN-2004-0074 (which this bug is about) is nowhere mentioned anywhere,
and it's indeed unfixed.
How to verify this bug:
-----------------------
The bugtraq posting (http://www.securityfocus.com/bid/9341, referenced
from the CAN site) says:
"xsok is prone to a locally exploitable buffer overrun vulnerability due
to insufficient bounds check of data supplied through the LANG
environment variable. This could be exploited to execute arbitrary code
with elevated privileges. The program is typically installed setgid
games."
So we grep for LANG in the code:
greuff@i:/usr/src/secure-sarge$ apt-get source xsok
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 121kB of source archives.
Get:1 http://ftp.at.debian.org sarge/main xsok 1.02-12 (dsc) [596B]
Get:2 http://ftp.at.debian.org sarge/main xsok 1.02-12 (tar) [114kB]
Get:3 http://ftp.at.debian.org sarge/main xsok 1.02-12 (diff) [6170B]
Fetched 121kB in 0s (547kB/s)
dpkg-source: extracting xsok in xsok-1.02
greuff@i:/usr/src/secure-sarge$ grep LANG xsok-1.02/src/*
xsok-1.02/src/loadsave.c: if ((s = getenv("LANG"))) {
xsok-1.02/src/messages.c: fprintf(stderr, "Hint: Perhaps
unsetting LANG or making a symbolic"
xsok-1.02/src/xsok.man:.SH NATIONAL LANGUAGE SUPPORT
xsok-1.02/src/xsok.man:environment variable \fBLANG\fP to the desired
value. Currently, no translated
And we have a look in xsok-1.02/src/loadsave.c:
void setlangdir(void) {
const char *s;
char p[100];
if ((s = getenv("LANG"))) {
sprintf(p, "%s/%s", xsokdir, s);
if (!access(p, F_OK)) { /* langdir does exist */
langdir = s;
return;
}
}
langdir = "";
}
This is indeed a buffer overflow.
Tom
Reply to: