--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: trr19: segfault when no argument is given
- From: Arnaud Fontaine <arnaud@andesi.org>
- Date: Fri, 22 Dec 2006 18:53:15 +0100
- Message-id: <873b77bywk.fsf@scoobidee.mini-dweeb.org>
Package: trr19
Version: 1.0beta5-19
Severity: normal
Tags: patch
Hello,
When no argument is given to trr_update or trr_format, it segfaults. In
addition the program could give a buffer overflow which may be use to
gain the games group privileges. This bug should be grave because it can
allow someone to modify the nethack scores... ;)
Regards,
Arnaud Fontaine
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.19.1-maggie
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Versions of packages trr19 depends on:
ii emacs-snapshot-gtk [emacs-s 1:20061221-1 The GNU Emacs editor (with GTK+ 2.
ii libc6 2.3.6.ds1-9 GNU C Library: Shared libraries
trr19 recommends no packages.
-- no debconf information
diff -urN trr19-1.0beta5.orig/trr_format.c trr19-1.0beta5/trr_format.c
--- trr19-1.0beta5.orig/trr_format.c 2006-12-22 02:58:26.000000000 +0100
+++ trr19-1.0beta5/trr_format.c 2006-12-22 02:56:12.000000000 +0100
@@ -54,6 +54,11 @@
signal(SIGTERM, SIG_IGN);
strcpy(textfile, TEXT_DIR);
+ if (argc < 2 || (strlen (TEXT_DIR) + strlen (argv[1])) >= 256){
+ fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+ exit(1);
+ }
+
strcat(textfile, argv[1]);
strcpy(formattedfile, textfile);
strcat(formattedfile, ".formed");
diff -urN trr19-1.0beta5.orig/trr_update.c trr19-1.0beta5/trr_update.c
--- trr19-1.0beta5.orig/trr_update.c 1996-07-03 06:52:08.000000000 +0200
+++ trr19-1.0beta5/trr_update.c 2006-12-22 18:12:52.000000000 +0100
@@ -74,6 +74,11 @@
}
/* upfate high score file */
+ if (argc != 7 || (strlen (argv[1]) + strlen (".lock")) >= 256){
+ fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+ exit(1);
+ }
+
strcat(scorefile, argv[1]);
strcpy(lockfile, scorefile);
strcat(lockfile, ".lock");
--- End Message ---
--- Begin Message ---
Source: trr19
Source-Version: 1.0beta5-19
We believe that the bug you reported is fixed in the latest version of
trr19, which is due to be installed in the Debian FTP archive:
trr19_1.0beta5-19.diff.gz
to pool/main/t/trr19/trr19_1.0beta5-19.diff.gz
trr19_1.0beta5-19.dsc
to pool/main/t/trr19/trr19_1.0beta5-19.dsc
trr19_1.0beta5-19_i386.deb
to pool/main/t/trr19/trr19_1.0beta5-19_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 404235@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arnaud Fontaine <arnaud@andesi.org> (supplier of updated trr19 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 22 Dec 2006 02:04:20 +0100
Source: trr19
Binary: trr19
Architecture: source i386
Version: 1.0beta5-19
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Arnaud Fontaine <arnaud@andesi.org>
Description:
trr19 - A type training software on GNU Emacs
Closes: 403159 404229 404235
Changes:
trr19 (1.0beta5-19) unstable; urgency=low
.
* QA upload.
* Remove unecessary debian/conffiles.
* New patch which fixes trr_update and trr_format segfaults.
Closes: #404235.
* debian/control:
+ Add emacs-snapshot to Depends. Closes: #403159.
+ Bump policy version to 3.7.2. No changes needed.
+ Add a versioned Build-Depends for debhelper.
* debian/emacsen-install:
+ Don't byte-compiled for xemacs21-*. Closes: #404229.
Files:
8807efafe36cd99ed997bf06ec01ce1f 582 games optional trr19_1.0beta5-19.dsc
44124739ce2a92bc2d52acac123f690d 9367 games optional trr19_1.0beta5-19.diff.gz
dde905098bbd693078d531dd2db07b3f 76678 games optional trr19_1.0beta5-19_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFxHl/sczZcpAmcIYRAsrBAJ4/OcosogcavfTjR6t/1g58lCcJQACgpRea
W/6t3ckoBbQtRk4yaiqsu7A=
=yiqS
-----END PGP SIGNATURE-----
--- End Message ---