Your message dated Mon, 14 May 2007 15:16:29 -0400
with message-id <[EMAIL PROTECTED]>
and subject line fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: bsdgames
Version: 2.17-5
Tags: security
Severity: normal
http://bugs.gentoo.org/show_bug.cgi?id=122399 for details, this is
CVE-2006-1539
The players name is printed into a buffer using sprintf without validation,
causing a classic stack overflow. On another occasion, the level is read from
the file without validation, which is then used as an offset into an integer
stack array and written to. While what's written cant be controlled, this
could
be enough to modify an ret addr enough to execute arbitrary code read from the
score file.
Note that Debian is not as prone to exploit as gentoo, since they
apparently have regular users in group games. However, this is still a
bug in bsdgames and can still contribute to exploits: If some other game
is exploited and an attacker gains group games then they can use this
bug to take over accounts that run tetris-bsd.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages bsdgames depends on:
ii libc6 2.3.6-4 GNU C Library: Shared libraries an
ii libgcc1 1:4.1.0-1 GCC support library
ii libncurses5 5.5-1 Shared libraries for terminal hand
ii libstdc++6 4.1.0-1 The GNU Standard C++ Library v3
ii miscfiles [wordlist] 1.4.2.dfsg.1-1 Dictionaries and other interesting
ii wamerican [wordlist] 6-2 American English dictionary words
ii wbritish [wordlist] 6-2 British English dictionary words f
bsdgames recommends no packages.
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 2.17-6
This was patched last year, but I forgot the bug number in the
changelog.
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
