-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-021 ================================= Topic: rogue vulnerability Version: NetBSD-current: source prior to October 2, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Local user can elevate privileges to group "games" Fixed: NetBSD-current: October 2, 2002 NetBSD-1.6 branch: October 3, 2002 (1.6.1 will include the fix) NetBSD-1.5 branch: October 3, 2002 Abstract ======== There are several buffer overflows in the processing of saved games when restarting rogue(6), that allow one to obtain group "games." Technical Details ================= When rogue(6) saves a game for later, it writes a string length with each string in the save file. When re-reading the file for continuing the game, this value was used unbounded when reading the string, allowing a hand-crafted save file to overflow a buffer. All read operations from the save file are now correctly bounded. Solutions and Workarounds ========================= The easiest solution to this problem is to simply remove the set-gid bit from rogue(6): # chmod g-s /usr/games/rogue This only impacts rogue's ability to save scores. The following instructions describe how to upgrade your rogue(6) binaries by updating your source tree and rebuilding and installing a new version of rogue(6). * NetBSD-current: Systems running NetBSD-current dated from before 2002-10-02 should be upgraded to NetBSD-current dated 2002-10-02 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): games/rogue To update from CVS, re-build, and re-install rogue(6): # cd src # cvs update -d -P games/rogue # cd games/rogue # make cleandir dependall # make install * NetBSD 1.6: Systems running NetBSD 1.6 sources dated from before 2002-10-03 should be upgraded from NetBSD 1.6 sources dated 2002-10-03 or later. NetBSD 1.6.1 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: games/rogue To update from CVS, re-build, and re-install rogue(6): # cd src # cvs update -d -P -r netbsd-1-6 games/rogue # cd games/rogue # make cleandir dependall # make install Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-021-rogue.patch To patch, re-build and re-install rogue(6): # cd src/games/rogue # patch < /path/to/SA20020-021-rogue.patch # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2002-10-03 should be upgraded from NetBSD 1.5.* sources dated 2002-10-03 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: games/rogue To update from CVS, re-build, and re-install rogue(6): # cd src # cvs update -d -P -r netbsd-1-5 games/rogue # cd games/rogue # make cleandir dependall # make install Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-021-rogue.patch To patch, re-build and re-install rogue(6): # cd src/games/rogue # patch < /path/to/SA20020-021-rogue.patch # make cleandir dependall # make install Thanks To ========= stanojr for reporting this problem, matthew green for providing a solution and Simon Burge for helping test the solution. Revision History ================ 2002-10-08 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-021.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-021.txt,v 1.7 2002/10/08 03:43:35 itojun Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPaNKqD5Ru2/4N2IFAQEvsgP8DhIGLEvT4uVkWC0MqGT4MHVRZTxvRF4Q Q8GJKDljDHabvxo7Es+lIvO4TUZhKyiGeePE+HRUoW1B39SuI/XRugJvBvYtcdTm Ue9aSmf0jYYuuKNdiItID/P30WR57sYPv2dNMURhSUkIbzQ43zowCD2Iv4l+nf2V LX+WHqJNq38= =L71P -----END PGP SIGNATURE-----