-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-025 ================================= Topic: trek(6) buffer overrun Version: NetBSD-current: source prior to October 19, 2002 NetBSD 1.6: affected (no real harm) NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Local user can elevate privileges to group "games" Fixed: NetBSD-current: October 19, 2002 NetBSD-1.6 branch: October 22, 2002 NetBSD-1.5 branch: October 19, 2002 Abstract ======== There is a buffer overflow in the processing of keyboard input by trek(6). On NetBSD 1.5 and prior, trek(6) is executed via dm(8), so a malicious local user could elevate privilege to group "games". On NetBSD 1.6 and NetBSD-current systems, trek(6) will terminate if the input is too long. Technical Details ================= When trek(6) reads in keyboard input, a bounds check was not performed correctly. If more than 100 characters are entered, a buffer overrun occurs. Solutions and Workarounds ========================= For NetBSD 1.5 systems, the easiest solution is to stop providing trek(6) to users: # rm /usr/games/trek # rm /usr/games/hide/trek NetBSD 1.6 and -current do not use dm(8) for executing trek(6), so no real harm will be done - the trek program executes only with the user's existing privileges. The following instructions describe how to upgrade your trek(6) binaries by updating your source tree and rebuilding and installing a new version of trek(6). * NetBSD-current: Systems running NetBSD-current dated from before 2002-10-19 should be upgraded to NetBSD-current dated 2002-10-19 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): games/trek To update from CVS, re-build, and re-install trek(6): # cd src # cvs update -d -P games/trek # cd games/trek # make cleandir dependall # make install * NetBSD 1.6: Systems running NetBSD 1.6 sources dated from before 2002-10-22 should be upgraded from NetBSD 1.6 sources dated 2002-10-22 or later. NetBSD 1.6.1 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: games/trek To update from CVS, re-build, and re-install trek(6): # cd src # cvs update -d -P -r netbsd-1-6 games/trek # cd games/trek # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2002-10-19 should be upgraded from NetBSD 1.5.* sources dated 2002-10-19 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: games/trek To update from CVS, re-build, and re-install trek(6): # cd src # cvs update -d -P -r netbsd-1-5 games/trek # cd games/trek # make cleandir dependall # make install Thanks To ========= Niels Heinen for reporting this problem. Revision History ================ 2002-10-24 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-025.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-025.txt,v 1.6 2002/10/23 08:08:42 itojun Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPbe2cT5Ru2/4N2IFAQFazQP/VEeJ23ynJgArHib+U/XCStkKMEfV/X4T 84EpzCgIPo0Q3Kpr1DISuuv4XAzGcg+dTAVqJXWU0y8eNwBsp10OYW7cDCrYJ8sZ AheCwKmnhfmKVrtqpDZ4rZKoswJoZhnisqe2FfLNqfFimi5wb0VY4vJzN8NSIV1I OzeoPQja22I= =CW7U -----END PGP SIGNATURE-----