Subject: bin/18507: rogue buffer overflow vulnerability
To: None <gnats-bugs@gnats.netbsd.org>
From: None <eravin@panix.com>
List: netbsd-bugs
Date: 10/02/2002 09:40:26
>Number: 18507
>Category: bin
>Synopsis: rogue buffer overflow vulnerability
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 02 09:41:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Ed Ravin
>Release: 1.6
>Organization:
Public Access Networks
>Environment:
NetBSD panix5.panix.com 1.6 NetBSD 1.6 (PANIX-USER) #0: Fri Sep 13 20:17:38 EDT 2002 root@trinity.nyc.access.net:/devel/netbsd/1.6/src/sys/arch/i386/compile/PANIX-USER i386
>Description:
A report on bugtraq and freebsd-security claims that rogue, when invoked by /usr/games/dm with setgid games, can be buffer-overflowed for privilege escalation to group games.
Author of report was stanojr@iserver.sk.
>How-To-Repeat:
Report had exploit attached.
>Fix:
Author of report claims vulnerable code is in file save.c, function
read_string.
>Release-Note:
>Audit-Trail:
>Unformatted: