Handling security issues?

Steve Kemp skx at debian.org
Wed Feb 8 21:50:57 UTC 2006


  One of the things that initially made me interested in joining in
 with the group maintainership of games was the initial message
 posted to debian-devel.

  This had a small section suggesting that the games-team would be
 well placed to handle security issues.

  Lets practise now ;)

  There is an exploitable security hole in `billard-gl` which is
 now contained in the team's SVN repository.  

  It isn't a real security risk since the game isn't installed 
 setuid/setgid however the code is definitely flawed.

  Here is the relevent code from the file src/KommandoZeilenParameter.cpp:

void SchreibeKonfiguration(){
  FILE *f;
#ifndef _WIN32
  char dateiname[40];
  sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
  f=fopen(dateiname,"w+");
#endif
  ...
  ...
}

void LeseKonfiguration(){
  FILE *f;
#ifndef _WIN32
  char dateiname[40];
  sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
  f=fopen(dateiname,"r");
  ...
  ...
}

  Both of these sections of code contain the same flaw.   The copying
 of the contents of the environmental variable 'HOME' into a fixed
 size buffer "dateiname", without testing for overflows.

  The code could be fixed by using this instead:

  memset(dateiname,'\0',sizeof(dateiname));
  snprintf(dateiname,sizeof(dateiname)-1,"%s/.BillardGL.conf.v7",getenv("HOME"));

  So .. if this were a real security hole, how would we handle this?

  Just via coordination with team at security.debian.org as normal?

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20060208/1f524e85/attachment-0001.pgp


More information about the Pkg-games-devel mailing list