Bug 767015

Summary: njam insecure use of SDL_VIDEODRIVER variable
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-13 19:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kurt Seifried 2011-12-13 00:32:14 UTC 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651896

Package: njam
Version: 1.25-5
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

The setgid(games) binary /usr/games/njam makes insecure use of the 
environmental variable SDL_VIDEODRIVER.

This potentially allows the execution of arbitrary code, as the
following example shows:

1.  Setup the variable:

    birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300") 


2.  Launch the binary under gdb so we can see what happens:

    birthday:~# gdb /usr/games/njam
(gdb) run
Starting program: /usr/games/njam 
..
Program received signal SIGSEGV, Segmentation fault.
0x0000000000404f48 in ?? ()
(gdb) bt
0  0x0000000000404f48 in ?? ()
1  0x7878787878787878 in ?? ()
2  0x7878787878787878 in ?? ()
3  0x7878787878787878 in ?? ()

  0x78 == "x" == Code execution via overflow.

  This is probably a minor issue, but should be simple to patch.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages njam depends on:
ii  libc6                        2.11.2-10   Embedded GNU C Library: Shared lib
ii  libgcc1                      1:4.4.5-8   GCC support library
ii  libsdl-image1.2              1.2.10-2+b2 image loading library for Simple D
ii  libsdl-mixer1.2              1.2.8-6.3   mixer library for Simple DirectMed
ii  libsdl-net1.2                1.2.7-2     network library for Simple DirectM
ii  libsdl1.2debian              1.2.14-6.1  Simple DirectMedia Layer
ii  libstdc++6                   4.4.5-8     The GNU Standard C++ Library v3

njam recommends no packages.

njam suggests no packages.

-- no debconf information

============================================================================

njam on Fedora is setgid games. Attempt to exploit results in:

*** buffer overflow detected ***: njam terminated.
Comment 1 Tomas Hoger 2011-12-13 07:48:20 UTC 
(In reply to comment #0)

> njam on Fedora is setgid games. Attempt to exploit results in:
> 
> *** buffer overflow detected ***: njam terminated.

This is FORTIFY_SOURCE message that implies overflow was detected when it was about to happen, limiting impact to crash (which should make this non-security for Fedora).
Comment 2 Hans de Goede 2011-12-13 19:46:16 UTC 
First of all thanks for forwarding the bug-report. As Tomas explained in comment 1, Fedora is not vulnerable because we compile with FORTIFY_SOURCE by default. Next to that the Fedora packages have a patch called:
njam-1.25-drop-setgid.patch, which opens the shared highscore file and then drops all sgid rights as the first thing in main (so before SDL_VIDEODRIVER is used), Which would limit any security issue to the attacker getting access to the highscore file, rather then getting full sgid games rights.

Still this should be fixed :) The code in question is only used for DGA support, and the use of DGA has been deprecated by Xorg upstream for a long long time now, so I've simply done a patch removing the DGA support code.

I've build njam with this for rawhide. Since this bug is not a security issue (for Fedora) and is not seen during normal use, just doing a rawhide build should be enough to resolve this bug -> closing.