Bug#1034190: marked as done (More security bugs in game loading)

Sun, 16 Apr 2023 17:09:18 -0700 

Your message dated Mon, 17 Apr 2023 00:03:58 +0000
with message-id <[email protected]>
and subject line Bug#1034190: fixed in sgt-puzzles 20230122.806ae71-2
has caused the Debian Bug report #1034190,
regarding More security bugs in game loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1034190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034190
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: sgt-puzzles
Version: 20230122.806ae71-1
Severity: serious
Tags: security upstream fixed-upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

Ben Harris found multiple issues in sgt-puzzles where a malformed game
description or save file can lead to a buffer overflow, buffer
overread, use of an uniniitialised pointer, integer overflow, null
pointer dereference, division by zero, assertion failure, or memory
leak.  These were fixed upstream over the past few months.

The Debian package doesn't register any media type handler for save
files, so I think this can only be exploited by social-engineering a
user into loading such a file or description.

For most of these bugs, the impact is limited to a crash of the
application.  However, the various memory safety errors may be more
serious.  On some architectures, division by zero does not cause an
exception and this might also be exploitable.

Ben.

-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-7-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sgt-puzzles depends on:
ii  libc6                2.36-8
ii  libcairo2            1.16.0-7
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0         2.74.6-1
ii  libgtk-3-0           3.24.37-2
ii  libpango-1.0-0       1.50.12+ds-1
ii  libpangocairo-1.0-0  1.50.12+ds-1

Versions of packages sgt-puzzles recommends:
ii  chromium [www-browser]  111.0.5563.64-1
ii  firefox [www-browser]   111.0-3
ii  lynx [www-browser]      2.9.0dev.12-1
ii  xdg-utils               1.1.3-4.1

sgt-puzzles suggests no packages.

-- debconf-show failed

--- End Message ---
--- Begin Message --- 
Source: sgt-puzzles
Source-Version: 20230122.806ae71-2
Done: Ben Hutchings <[email protected]>

We believe that the bug you reported is fixed in the latest version of
sgt-puzzles, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated sgt-puzzles package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Apr 2023 21:19:11 +0200
Source: sgt-puzzles
Architecture: source
Version: 20230122.806ae71-2
Distribution: unstable
Urgency: medium
Maintainer: Ben Hutchings <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Closes: 905852 1034190
Changes:
 sgt-puzzles (20230122.806ae71-2) unstable; urgency=medium
 .
   * Fix various security issues in game loading (Closes: #1034190):
     - Black Box: reject negative ball counts in game_params.
     - Add validate_params bounds checks in a few more games.
     - Don't allow Bridges games with < 2 islands
     - Forbid moves that fill with the current colour in Flood
     - Cleanly reject ill-formed solve moves in Flood
     - Don't segfault on premature solve moves in Mines
     - Limit number of mines in Mines game description
     - Validate the number of pegs and holes in a Pegs game ID
     - Mines: forbid moves that flag or unflag an exposed square
     - Mines: Don't check if the player has won if they've already lost
     - Avoid invalid moves when solving Tracks
     - Fix move validation in Netslide
     - Tighten validation of Tents game descriptions
     - Dominosa: require the two halves of a domino to be adjacent
     - Forbid lines off the grid in Pearl
     - Tolerate incorrect solutions in Inertia
     - Palisade: replace dfs_dsf() with a simple iteration.
     - latin_solver_alloc: handle clashing numbers in input grid.
     - Pearl: fix assertion failure on bad puzzle.
     - Pearl: fix bounds check in previous commit.
     - Unequal: Don't insist that solve moves must actually solve
     - Range: Don't fail an assertion on an all-black board
     - Limit width and height to SHRT_MAX in Mines
     - Mines: Add assertions to range-check conversions to short
     - Unequal: fix sense error in latin_solver_alloc fix.
     - Forbid impossible moves in Bridges
     - Forbid game descriptions with joined islands in Bridges
     - Check state is valid at the end of a move in Pearl
     - Cleanly reject more ill-formed solve moves in Flood
     - Don't allow moves that change the constraints in Unequal
     - Fix memory leaks in Keen's validate_desc()
     - Remember to free the actual_board array in Mosaic
     - Don't leak grids in Loopy's validate_desc()
     - Remember to free the to_draw member from Net's drawstate
     - Undead: check the return value of sscanf() in execute_move()
     - Don't leak duplicate edges in Untangle
     - Remember to free the numcolours array from Pattern's drawstate
     - Free new game_state properly in Mosaic's execute_move()
     - Twiddle: don't read off the end of parameter strings ending 'm'
     - Loopy: free the grid description string if it's invalid
     - Mosaic: don't duplicate the description being validated
     - Avoid division by zero in Cube grid-size checks
     - Validate that save file values are ASCII (mostly)
     - More validation of solve moves in Flood
     - Make sure that moves in Flood use only valid colours
     - Tighten grid-size limit in Mines
     - Tracks: set drag_s{x,y} even if starting off-grid
     - Undead: be a bit more careful about sprintf buffer sizes
     - Fix memory leak in midend_game_id_int()
     - Flood: don't read off the end of some parameter strings
     - Be more careful with type of left operand of <<
     - Map: reduce maximum size
     - Correctly handle some short save files
     - Inertia: insist that solutions must be non-empty
     - Galaxies: fix recursion depth limit in solver.
     - Correct a range check in Magnets' layout verification
     - Magnets: add a check that magnets don't wrap between lines
     - Net: assert that cx and cy are in range in compute_active()
     - Don't allow zero clues in Pattern
   * Solo: cope with pencil marks when tilesize == 1 (Closes: #905852)
Checksums-Sha1:
 bdb81024d899de14c57659178783ba43a6554920 2047 
sgt-puzzles_20230122.806ae71-2.dsc
 8dfc2c1404c86acfe14df0a9021d6f7af729574d 128208 
sgt-puzzles_20230122.806ae71-2.debian.tar.xz
 c232c9bab7cb7d88a7149749b607e56dc2be4595 15341 
sgt-puzzles_20230122.806ae71-2_amd64.buildinfo
Checksums-Sha256:
 e48b18b74a85d7e0a300ab61bbbd106697b8abb7f19c2de9f263142fe147d92c 2047 
sgt-puzzles_20230122.806ae71-2.dsc
 ae22416cf16622fc230a7fa2d19022370152504c59920c9dbc58ec939d885848 128208 
sgt-puzzles_20230122.806ae71-2.debian.tar.xz
 d06e6e69fcd4dc0ff0f8cafa0c20674383a1b3cc0a3829f5a489844f0893ac11 15341 
sgt-puzzles_20230122.806ae71-2_amd64.buildinfo
Files:
 d1dc0d6fbda9cd69996e9687e2b14177 2047 games optional 
sgt-puzzles_20230122.806ae71-2.dsc
 c8574e441c0cc595a4c8170ab86cec03 128208 games optional 
sgt-puzzles_20230122.806ae71-2.debian.tar.xz
 57fe5666670ae112f50bbfe4fa62458a 15341 games optional 
sgt-puzzles_20230122.806ae71-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmQ8e1IACgkQ57/I7JWG
EQl6gg//fXFqSkqM2tGRiBvE20dZ/6jK3VYj/uYIYnyNn6pnvdAdfC2d6H5HyYXi
Zg34fw4BVgArwhIcAQjHa+Ix9Al3zSgn+X8H9DWMgrPh4ZXRW/otRi8fV8r3t8lx
XfURF0yysimEBkWaZ+6197yLLnnqEfGdJE/yufRR5gSZm1PeImAI6WsdI26WFC8u
KbytvaDMKyxxf319Q+njvK1zgrXjCPtNF4iZBqmkLzgi2RSVTOdeYc+yDgaXplKk
uqWSMlRvY7vnPDFJTbnpeJYYtD26tef7ejHbQO4N9mDqFqr8zsEIRPoR65PyRdaY
OzuKAHLIXd7M3ihlnpuU8RCBXtN4SYt1oiNw7XFmTcBPN02C2oTy+YtTsoldC5Rs
h0cQEybkndzrdbpMu7QROtuQXElXKfUmysj1+FhplfWF2FjjrbJ7fS+1bag44oQ2
zwmNH6TCY7LqBtqdu2dx3dOfO/RMNpSEWCjnajdeZEazHk387/iU7TSvCwN2wILz
BrB+xa8pasN+7Z1ZMfvxgPEF0syZeceYa91i0yZG4dI8/oscKKwUzZ62ETrb/U/q
vuehE/aISgFMf51MWHZVrYuQZqxLcr0d7nWnIJnWlq7ZgY9ThiwDCAs1phGjrRFE
j+2b6sEiP13W6LHs8GWrub12RClqrn6IwQp6vQnb9g6jS0GZuKo=
=FFmr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to