Bug#290822: marked as done (billard-gl: buffer overflows in $HOME and conf-file)
Your message dated Thu, 03 Feb 2005 17:18:47 -0500
with message-id <E1CwpJH-0001YD-00@newraff.debian.org>
and subject line Bug#290822: fixed in billard-gl 1.75-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Jan 2005 23:56:05 +0000
>From Ulf.Harnhammar.9485@student.uu.se Sun Jan 16 15:56:05 2005
Return-path: <Ulf.Harnhammar.9485@student.uu.se>
Received: from limicola.its.uu.se [130.238.7.33]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CqKFY-0002Wl-00; Sun, 16 Jan 2005 15:56:05 -0800
Received: by limicola.its.uu.se (Postfix, from userid 205)
id 56F174856; Mon, 17 Jan 2005 00:56:03 +0100 (MEZ)
Received: from limicola.its.uu.se(127.0.0.1) by limicola.its.uu.se via virus-scan
id s2131; Mon, 17 Jan 05 00:55:54 +0100
Received: from tyto.its.uu.se (tyto3.its.uu.se [130.238.4.192])
by limicola.its.uu.se (Postfix) with ESMTP id 4627A4842
for <submit@bugs.debian.org>; Mon, 17 Jan 2005 00:55:54 +0100 (MEZ)
Received: from localhost ([127.0.0.1])
by tyto.its.uu.se with esmtp (Exim 3.35 #1 (Debian))
id 1CqKFO-0000iS-00
for <submit@bugs.debian.org>; Mon, 17 Jan 2005 00:55:54 +0100
Received: from h234n2fls31o1123.telia.com (h234n2fls31o1123.telia.com [81.224.172.234])
by webmail.uu.se (IMP) with HTTP
for <ulha9485@localhost>; Mon, 17 Jan 2005 00:55:54 +0100
Message-ID: <1105919754.41eaff0a24a35@webmail.uu.se>
Date: Mon, 17 Jan 2005 00:55:54 +0100
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
To: submit@bugs.debian.org
Subject: billard-gl: buffer overflows in $HOME and conf-file
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-MOQ1105919753b0e0ba1af2bbb226958fddb7b24807e5"
User-Agent: Internet Messaging Program (IMP) 3.2.6
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This message is in MIME format.
---MOQ1105919753b0e0ba1af2bbb226958fddb7b24807e5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: billard-gl: buffer overflows in $HOME and conf-file
Package: billard-gl
Version: 1.75-6
Severity: normal
Tags: patch
Hello,
I have found two types of buffer overflows in billard-gl.
One occurs when the HOME environment variable has a value of about 80
bytes. The other occurs when the ~/.BillardGL.conf.v7 file has very long
lines.
The overflows would be exploitable security problems if billard-gl was
setuid or setgid something. It isn't, but I think this type of bug should
be fixed anyway to avoid irritating crashes.
I have attached a patch, as well as a ~/.BillardGL.conf.v7 file that
exhibits the second problem. ( To test the first problem, just do a:
HOME=3D`perl -e 'print "U" x 80;'` billard-gl )
The patch also changes the size of two char arrays from 40 to 512. The ar=
rays
contain the value of $HOME plus "/.BillardGL.conf.v7", so I thought that =
40
bytes might not be enough.
// Ulf Harnhammar
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)
Versions of packages billard-gl depends on:
ii freeglut3 [libglut3] 2.2.0-8 OpenGL Utility Toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librar=
ies an
ii libgcc1 1:3.4.3-6 GCC support library
ii libglut3 3.7-25 the OpenGL Utility Toolkit
ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library=
v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol cli=
ent li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneou=
s exte
ii libxi6 4.3.0.dfsg.1-10 X Window System Input extens=
ion li
ii libxmu6 4.3.0.dfsg.1-10 X Window System miscellaneou=
s util
ii xlibmesa-gl [libgl1] 4.3.0.dfsg.1-10 Mesa 3D graphics library [XF=
ree86]
ii xlibmesa-glu [libglu1] 4.3.0.dfsg.1-10 Mesa OpenGL utility library =
[XFree
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) c=
onfigu
-- no debconf information
---MOQ1105919753b0e0ba1af2bbb226958fddb7b24807e5
Content-Type: text/x-patch; name="billard-gl.bufoflows.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="billard-gl.bufoflows.patch"
LS0tIHNyYy9Lb21tYW5kb1plaWxlblBhcmFtZXRlci5jcHAub2xkCTIwMDItMDQtMjMgMTg6MDQ6
MTMuMDAwMDAwMDAwICswMjAwCisrKyBzcmMvS29tbWFuZG9aZWlsZW5QYXJhbWV0ZXIuY3BwCTIw
MDUtMDEtMTYgMjI6MDk6MzguMDAwMDAwMDAwICswMTAwCkBAIC04LDggKzgsOCBAQAogdm9pZCBT
Y2hyZWliZUtvbmZpZ3VyYXRpb24oKXsNCiAgIEZJTEUgKmY7DQogI2lmbmRlZiBfV0lOMzINCi0g
IGNoYXIgZGF0ZWluYW1lWzQwXTsNCi0gIHNwcmludGYoZGF0ZWluYW1lLCIlcy8uQmlsbGFyZEdM
LmNvbmYudjciLGdldGVudigiSE9NRSIpKTsNCisgIGNoYXIgZGF0ZWluYW1lWzUxMl07DQorICBz
bnByaW50ZihkYXRlaW5hbWUsc2l6ZW9mKGRhdGVpbmFtZSksIiVzLy5CaWxsYXJkR0wuY29uZi52
NyIsZ2V0ZW52KCJIT01FIikpOw0KICAgZj1mb3BlbihkYXRlaW5hbWUsIncrIik7DQogI2VuZGlm
DQogI2lmZGVmIF9XSU4zMg0KQEAgLTY1LDggKzY1LDggQEAgdm9pZCBTY2hyZWliZUtvbmZpZ3Vy
YXRpb24oKXsNCiB2b2lkIExlc2VLb25maWd1cmF0aW9uKCl7DQogICBGSUxFICpmOw0KICNpZm5k
ZWYgX1dJTjMyDQotICBjaGFyIGRhdGVpbmFtZVs0MF07DQotICBzcHJpbnRmKGRhdGVpbmFtZSwi
JXMvLkJpbGxhcmRHTC5jb25mLnY3IixnZXRlbnYoIkhPTUUiKSk7DQorICBjaGFyIGRhdGVpbmFt
ZVs1MTJdOw0KKyAgc25wcmludGYoZGF0ZWluYW1lLHNpemVvZihkYXRlaW5hbWUpLCIlcy8uQmls
bGFyZEdMLmNvbmYudjciLGdldGVudigiSE9NRSIpKTsNCiAgIGY9Zm9wZW4oZGF0ZWluYW1lLCJy
Iik7DQogI2VuZGlmDQogI2lmZGVmIF9XSU4zMg0KQEAgLTk1LDkgKzk1LDkgQEAgdm9pZCBMZXNl
S29uZmlndXJhdGlvbigpew0KICAgICBmc2NhbmYoZiwiJWkiLCZHcnVlbmVMYW1wZSk7DQogICAg
IGZzY2FuZihmLCIlZiIsJkVmZmVrdExhdXRzdGFlcmtlKTsNCiAgICAgZnNjYW5mKGYsIiVmIiwm
TXVzaWtMYXV0c3RhZXJrZSk7DQotICAgIGZzY2FuZihmLCIlcyIsU3BpZWxlcjF0ZW1wKTsNCi0g
ICAgZnNjYW5mKGYsIiVzIixTcGllbGVyMnRlbXApOw0KLSAgICBmc2NhbmYoZiwiJXMiLE5ldHp3
ZXJrU3BpZWxlcnRlbXApOw0KKyAgICBmc2NhbmYoZiwiJTlzIixTcGllbGVyMXRlbXApOw0KKyAg
ICBmc2NhbmYoZiwiJTlzIixTcGllbGVyMnRlbXApOw0KKyAgICBmc2NhbmYoZiwiJTlzIixOZXR6
d2Vya1NwaWVsZXJ0ZW1wKTsNCiAgICAgZm9yIChpbnQgaT0wO2k8MTA7aSsrKSB7DQogICAgICAg
aWYgKFNwaWVsZXIxdGVtcFtpXT09JyUnKSB7DQogCVNwaWVsZXIxW2ldPScgJzsNCg==
---MOQ1105919753b0e0ba1af2bbb226958fddb7b24807e5
Content-Type: application/octet-stream; name=".BillardGL.conf.v7"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=".BillardGL.conf.v7"
MgoxCjIKNwowLjQwMDAwMAowCjAKODAwCjE2CjAKMQozCjkwMQowCjEKMgowCjAuNTAwMDAwCjAu
NTAwMDAwClVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVUKTmFtZSUyCk5hbWUK
---MOQ1105919753b0e0ba1af2bbb226958fddb7b24807e5--
---------------------------------------
Received: (at 290822-close) by bugs.debian.org; 3 Feb 2005 22:23:04 +0000
>From troup@newraff.debian.org Thu Feb 03 14:23:04 2005
Return-path: <troup@newraff.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwpNP-0001Z4-00; Thu, 03 Feb 2005 14:23:03 -0800
Received: from troup by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CwpJH-0001YD-00; Thu, 03 Feb 2005 17:18:47 -0500
From: Thierry Reding <thierry@doppeltgemoppelt.de>
To: 290822-close@bugs.debian.org
X-Katie: lisa $Revision: 1.30 $
Subject: Bug#290822: fixed in billard-gl 1.75-7
Message-Id: <E1CwpJH-0001YD-00@newraff.debian.org>
Sender: James Troup <troup@newraff.debian.org>
Date: Thu, 03 Feb 2005 17:18:47 -0500
Delivered-To: 290822-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 4
Source: billard-gl
Source-Version: 1.75-7
We believe that the bug you reported is fixed in the latest version of
billard-gl, which is due to be installed in the Debian FTP archive:
billard-gl-data_1.75-7_all.deb
to pool/main/b/billard-gl/billard-gl-data_1.75-7_all.deb
billard-gl_1.75-7.diff.gz
to pool/main/b/billard-gl/billard-gl_1.75-7.diff.gz
billard-gl_1.75-7.dsc
to pool/main/b/billard-gl/billard-gl_1.75-7.dsc
billard-gl_1.75-7_i386.deb
to pool/main/b/billard-gl/billard-gl_1.75-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 290822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thierry Reding <thierry@doppeltgemoppelt.de> (supplier of updated billard-gl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 31 Jan 2005 03:57:08 +0100
Source: billard-gl
Binary: billard-gl billard-gl-data
Architecture: source i386 all
Version: 1.75-7
Distribution: unstable
Urgency: low
Maintainer: Thierry Reding <thierry@doppeltgemoppelt.de>
Changed-By: Thierry Reding <thierry@doppeltgemoppelt.de>
Description:
billard-gl - 3D billiards game
billard-gl-data - 3D billards game - data files
Closes: 173197 236582 284855 290822
Changes:
billard-gl (1.75-7) unstable; urgency=low
.
* New maintainer. (Closes: #236582)
* Added patch by Ulf Harnhammar. (Closes: #290822)
* By default, start in windowed mode at a resolution of 640x480.
Closes: #284855
Closes: #173197
* Updated the billard-gl(6) manpage and the watchfile.
* Fixed lintian warnings about the menu file.
* Migrated the data files from /usr/share/billard-gl to
/usr/share/games/billard-gl (as recommended by FHS 4.7).
* Previous patches to the upstream source extracted into
debian/patches.
* Data split from the binary. Added the billard-gl-data package.
* Upstream makefile now accepts CFLAGS from debian/rules.
Files:
40c619b6f3437e9405c1008a501035a3 730 games optional billard-gl_1.75-7.dsc
842b9fe7cd5ded837768a94b9cdbfc9b 6398 games optional billard-gl_1.75-7.diff.gz
79efd32601b10d9d1050154a32887326 549202 games optional billard-gl-data_1.75-7_all.deb
3e183f6f958880b5ee6beee50e23ff3f 80614 games optional billard-gl_1.75-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB/qbOhQui3hP+/EARAkiZAKDKrNEEjcCHjqlKlwklQ+GjSqrk3ACfW+RJ
ohBtUELCIG26Y32punGfsoY=
=QVt1
-----END PGP SIGNATURE-----
Reply to: