OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NetBSD Security Officer (security-officer_at_netbsd.org)
Date: Tue Oct 08 2002 - 00:28:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2002-021
                     =================================

    Topic: rogue vulnerability

    Version: NetBSD-current: source prior to October 2, 2002
                    NetBSD 1.6: affected
                    NetBSD-1.5.3: affected
                    NetBSD-1.5.2: affected
                    NetBSD-1.5.1: affected
                    NetBSD-1.5: affected

    Severity: Local user can elevate privileges to group "games"

    Fixed: NetBSD-current: October 2, 2002
                    NetBSD-1.6 branch: October 3, 2002
                                            (1.6.1 will include the fix)
                    NetBSD-1.5 branch: October 3, 2002

    Abstract
    ========

    There are several buffer overflows in the processing of saved games
    when restarting rogue(6), that allow one to obtain group "games."

    Technical Details
    =================

    When rogue(6) saves a game for later, it writes a string length with
    each string in the save file. When re-reading the file for continuing
    the game, this value was used unbounded when reading the string,
    allowing a hand-crafted save file to overflow a buffer.

    All read operations from the save file are now correctly bounded.

    Solutions and Workarounds
    =========================

    The easiest solution to this problem is to simply remove the set-gid
    bit from rogue(6):

            # chmod g-s /usr/games/rogue

    This only impacts rogue's ability to save scores.

    The following instructions describe how to upgrade your rogue(6)
    binaries by updating your source tree and rebuilding and
    installing a new version of rogue(6).

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2002-10-02
            should be upgraded to NetBSD-current dated 2002-10-02 or later.

            The following directories need to be updated from the
            netbsd-current CVS branch (aka HEAD):
                    games/rogue

            To update from CVS, re-build, and re-install rogue(6):
                    # cd src
                    # cvs update -d -P games/rogue
                    # cd games/rogue

                    # make cleandir dependall
                    # make install

    * NetBSD 1.6:

            Systems running NetBSD 1.6 sources dated from before
            2002-10-03 should be upgraded from NetBSD 1.6 sources dated
            2002-10-03 or later.

            NetBSD 1.6.1 will include the fix.

            The following directories need to be updated from the
            netbsd-1-6 CVS branch:
                    games/rogue

            To update from CVS, re-build, and re-install rogue(6):

                    # cd src
                    # cvs update -d -P -r netbsd-1-6 games/rogue
                    # cd games/rogue

                    # make cleandir dependall
                    # make install

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA20020-021-rogue.patch

            To patch, re-build and re-install rogue(6):

                    # cd src/games/rogue
                    # patch < /path/to/SA20020-021-rogue.patch

                    # make cleandir dependall
                    # make install

    * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

            Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
            from before 2002-10-03 should be upgraded from NetBSD 1.5.*
            sources dated 2002-10-03 or later.

            The following directories need to be updated from the
            netbsd-1-5 CVS branch:
                    games/rogue

            To update from CVS, re-build, and re-install rogue(6):

                    # cd src
                    # cvs update -d -P -r netbsd-1-5 games/rogue
                    # cd games/rogue

                    # make cleandir dependall
                    # make install

            Alternatively, apply the following patch (with potential offset
            differences):
                    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA20020-021-rogue.patch

            To patch, re-build and re-install rogue(6):

                    # cd src/games/rogue
                    # patch < /path/to/SA20020-021-rogue.patch

                    # make cleandir dependall
                    # make install

    Thanks To
    =========

    stanojr for reporting this problem, matthew green for providing a solution
    and Simon Burge for helping test the solution.

    Revision History
    ================

            2002-10-08 Initial release

    More Information
    ================

    Advisories may be updated as new information comes to hand. The most
    recent version of this advisory (PGP signed) can be found at
      ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-021.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2002-021.txt,v 1.7 2002/10/08 03:43:35 itojun Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQCVAwUBPaJUZz5Ru2/4N2IFAQEGqAP+KPqDJtYlSlECwS2XVlS4YGgJQUKM606p
    UX8Rwzt0BMcBAO60HedJrWwJCY6xdcvp0s6SKuHe+o1Cb4Sf5Q/b0z2U4nW+UTtV
    +P3WEU15O//23v6dgWy8ePxqAlnnx3LvU9fFwbkqheUnyPsyDEaM9izsr9J8/p6L
    vIf3dolEhTA=
    =Rtnl
    -----END PGP SIGNATURE-----