Bug#404235: trr19: segfault when no argument is given
Package: trr19
Version: 1.0beta5-19
Severity: normal
Tags: patch
Hello,
When no argument is given to trr_update or trr_format, it segfaults. In
addition the program could give a buffer overflow which may be use to
gain the games group privileges. This bug should be grave because it can
allow someone to modify the nethack scores... ;)
Regards,
Arnaud Fontaine
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.19.1-maggie
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Versions of packages trr19 depends on:
ii emacs-snapshot-gtk [emacs-s 1:20061221-1 The GNU Emacs editor (with GTK+ 2.
ii libc6 2.3.6.ds1-9 GNU C Library: Shared libraries
trr19 recommends no packages.
-- no debconf information
diff -urN trr19-1.0beta5.orig/trr_format.c trr19-1.0beta5/trr_format.c
--- trr19-1.0beta5.orig/trr_format.c 2006-12-22 02:58:26.000000000 +0100
+++ trr19-1.0beta5/trr_format.c 2006-12-22 02:56:12.000000000 +0100
@@ -54,6 +54,11 @@
signal(SIGTERM, SIG_IGN);
strcpy(textfile, TEXT_DIR);
+ if (argc < 2 || (strlen (TEXT_DIR) + strlen (argv[1])) >= 256){
+ fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+ exit(1);
+ }
+
strcat(textfile, argv[1]);
strcpy(formattedfile, textfile);
strcat(formattedfile, ".formed");
diff -urN trr19-1.0beta5.orig/trr_update.c trr19-1.0beta5/trr_update.c
--- trr19-1.0beta5.orig/trr_update.c 1996-07-03 06:52:08.000000000 +0200
+++ trr19-1.0beta5/trr_update.c 2006-12-22 18:12:52.000000000 +0100
@@ -74,6 +74,11 @@
}
/* upfate high score file */
+ if (argc != 7 || (strlen (argv[1]) + strlen (".lock")) >= 256){
+ fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+ exit(1);
+ }
+
strcat(scorefile, argv[1]);
strcpy(lockfile, scorefile);
strcat(lockfile, ".lock");
Reply to: