Hide Forgot
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651896 Package: njam Version: 1.25-5 Justification: user security hole Severity: grave Tags: security *** Please type your report below this line *** The setgid(games) binary /usr/games/njam makes insecure use of the environmental variable SDL_VIDEODRIVER. This potentially allows the execution of arbitrary code, as the following example shows: 1. Setup the variable: birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300") 2. Launch the binary under gdb so we can see what happens: birthday:~# gdb /usr/games/njam (gdb) run Starting program: /usr/games/njam .. Program received signal SIGSEGV, Segmentation fault. 0x0000000000404f48 in ?? () (gdb) bt 0 0x0000000000404f48 in ?? () 1 0x7878787878787878 in ?? () 2 0x7878787878787878 in ?? () 3 0x7878787878787878 in ?? () 0x78 == "x" == Code execution via overflow. This is probably a minor issue, but should be simple to patch. -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages njam depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-8 GCC support library ii libsdl-image1.2 1.2.10-2+b2 image loading library for Simple D ii libsdl-mixer1.2 1.2.8-6.3 mixer library for Simple DirectMed ii libsdl-net1.2 1.2.7-2 network library for Simple DirectM ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 njam recommends no packages. njam suggests no packages. -- no debconf information ============================================================================ njam on Fedora is setgid games. Attempt to exploit results in: *** buffer overflow detected ***: njam terminated.
(In reply to comment #0) > njam on Fedora is setgid games. Attempt to exploit results in: > > *** buffer overflow detected ***: njam terminated. This is FORTIFY_SOURCE message that implies overflow was detected when it was about to happen, limiting impact to crash (which should make this non-security for Fedora).
First of all thanks for forwarding the bug-report. As Tomas explained in comment 1, Fedora is not vulnerable because we compile with FORTIFY_SOURCE by default. Next to that the Fedora packages have a patch called: njam-1.25-drop-setgid.patch, which opens the shared highscore file and then drops all sgid rights as the first thing in main (so before SDL_VIDEODRIVER is used), Which would limit any security issue to the attacker getting access to the highscore file, rather then getting full sgid games rights. Still this should be fixed :) The code in question is only used for DGA support, and the use of DGA has been deprecated by Xorg upstream for a long long time now, so I've simply done a patch removing the DGA support code. I've build njam with this for rawhide. Since this bug is not a security issue (for Fedora) and is not seen during normal use, just doing a rawhide build should be enough to resolve this bug -> closing.