1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
Package: vectoroids
Version: 1.1.0-1
Severity: normal
Tags: upstream patch
Hi,
Whilst performing a minimal source code audit of vectoroids I
discovered that it contains a buffer overflow condition - because
it doesn't test the length of one of the environmental variables
it uses.
Thankfully this game isn't installed setuid/setgid - or this
would be security issue.
The patch below closes the hole.
Steve
---
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux hell.my.flat 2.4.21 #1 Fri Jun 13 21:42:54 BST 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages vectoroids depends on:
ii libc6 2.3.1-17 GNU C Library: Shared libraries an
ii libsdl-image1.2 1.2.3-1 image loading library for Simple D
ii libsdl-mixer1.2 1.2.5-2 mixer library for Simple DirectMed
ii libsdl1.2debian 1.2.5-8 Simple DirectMedia Layer
-- no debconf information
--- vectoroids.c-orig 2003-07-28 21:44:22.000000000 +0100
+++ vectoroids.c 2003-07-28 21:45:03.000000000 +0100
@@ -596,8 +596,12 @@
#ifndef _WIN32
/* snprintf(statefile, sizeof(statefile), "%s/.vectoroids-state",
getenv("HOME")); */
- sprintf(statefile, "%s/.vectoroids-state",
- getenv("HOME"));
+ if (getenv("HOME") != NULL )
+ {
+ memset(statefile, '\0', sizeof(statefile));
+ snprintf(statefile,sizeof(statefile)-1, "%s/.vectoroids-state",
+ getenv("HOME"));
+ }
#else
sprintf(statefile, "vectoroids-state.dat");
#endif
|
