Handling security issues?

Miriam Ruiz little_miry at yahoo.es
Wed Feb 8 22:57:06 UTC 2006 

 --- Steve Kemp <skx at debian.org> wrote:

>   Here is the relevent code from the file src/KommandoZeilenParameter.cpp:
> 
> void SchreibeKonfiguration(){
>   FILE *f;
> #ifndef _WIN32
>   char dateiname[40];
>   sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
>   f=fopen(dateiname,"w+");
> #endif
>   ...
>   ...
> }
> 
> void LeseKonfiguration(){
>   FILE *f;
> #ifndef _WIN32
>   char dateiname[40];
>   sprintf(dateiname,"%s/.BillardGL.conf.v7",getenv("HOME"));
>   f=fopen(dateiname,"r");
>   ...
>   ...
> }
> 
>   Both of these sections of code contain the same flaw.   The copying
>  of the contents of the environmental variable 'HOME' into a fixed
>  size buffer "dateiname", without testing for overflows.
> 
>   The code could be fixed by using this instead:
> 
>   memset(dateiname,'\0',sizeof(dateiname));
>  
>
snprintf(dateiname,sizeof(dateiname)-1,"%s/.BillardGL.conf.v7",getenv("HOME"));

You shouldn't also forget, even though it might not be important, to check if
$HOME exists, that is, if getenv("HOME") == NULL

>   So .. if this were a real security hole, how would we handle this?
> 
>   Just via coordination with team at security.debian.org as normal?

These kind of things tend to be very common in these games (I mean, exactly
that $HOME thingie). I'm not sure what would be the best way to handle it. The
first step to follow should be detecting all those holes (I think I have a
couple of them in my packages). I'm not sure how to handle detection, maybe
through bts + a wiki page with a list? Maybe also hints about the better ways
to handle those bugs too (like snprintf in this case).

The next step could be sorting them, maybe some of them are so similar that we
could take advance of that. I don't know how to handle this, besides thinking
about those magical wiki pages. In any case we could list the most common
mistakes (getenv buffer overflows might be one of them) and then we could
audit our packages searching for that, and writing a note wheter it is
affected or not, and if the problem has been solved or not.

About correcting them, if we get to use svn for most of the projects, i guess
correcting them there and uploading them inmediately if it's very serious or
not thar urgently if it's not a high security risk could do.

Miry



		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com

More information about the Pkg-games-devel mailing list