Bug#292065: #292065 numerous security holes in xshisen
Here's the patch I came up with for this. -- see shy jo diff --new-file -ur tmp/xshisen-1.51-1/Makefile.in xshisen-1.51-1/Makefile.in --- tmp/xshisen-1.51-1/Makefile.in 2003-10-29 11:49:58.0 -0500 +++ xshisen-1.51-1/Makefile.in 2005-01-27 01:56:36.0 -0500 @@ -17,7 +17,7 @@ XSHISENLIB = @datadir@/xshisen XSHISENDAT = @sharedstatedir@ -CXXFLAGS = @CXXFLAGS@ +CXXFLAGS = @CXXFLAGS@ -DNO_GLOBAL_HIGHSCORE CPPFLAGS = $(CPPOPTS) @CPPFLAGS@ CPPOPTS = LDFLAGS = @LDFLAGS@ diff --new-file -ur tmp/xshisen-1.51-1/debian/README.Debian xshisen-1.51-1/debian/README.Debian --- tmp/xshisen-1.51-1/debian/README.Debian 1969-12-31 19:00:00.0 -0500 +++ xshisen-1.51-1/debian/README.Debian 2005-01-27 02:44:17.0 -0500 @@ -0,0 +1,4 @@ +Note that in the Debian package of xshisen, support for system-wide score +files is disabled. This was done because xshisen is not written very +securely, and a system-wide score file required the program to be installed +setgid games. diff --new-file -ur tmp/xshisen-1.51-1/debian/changelog xshisen-1.51-1/debian/changelog --- tmp/xshisen-1.51-1/debian/changelog 2005-01-19 15:21:19.0 -0500 +++ xshisen-1.51-1/debian/changelog 2005-01-27 02:47:32.0 -0500 @@ -1,3 +1,15 @@ +xshisen (1.51-1-1.2) unstable; urgency=HIGH + + * NMU (at maintainer's request). + * Add NO_GLOBAL_HIGHSCORE define which crudely disables the support for +a global score file. + * Remove sgid bit. Closes: #291613, #292065 + * Comment out code in postinst that set up /var/games/xshisen.scores, +but for now, do not delete that file on upgrade. + * Add README.Debian. + + -- Joey Hess [EMAIL PROTECTED] Thu, 27 Jan 2005 02:42:26 -0500 + xshisen (1.51-1-1.1) unstable; urgency=HIGH * NMU diff --new-file -ur tmp/xshisen-1.51-1/debian/postinst xshisen-1.51-1/debian/postinst --- tmp/xshisen-1.51-1/debian/postinst 2003-10-29 11:49:58.0 -0500 +++ xshisen-1.51-1/debian/postinst 2005-01-27 02:46:16.0 -0500 @@ -5,12 +5,12 @@ case $1 in configure) - if [ ! -f /var/games/xshisen.scores ]; then - cp -f /usr/share/games/xshisen/xshisen.scores \ - /var/games/xshisen.scores - chown root.games /var/games/xshisen.scores - chmod 664 /var/games/xshisen.scores - fi +# if [ ! -f /var/games/xshisen.scores ]; then +# cp -f /usr/share/games/xshisen/xshisen.scores \ +# /var/games/xshisen.scores +# chown root.games /var/games/xshisen.scores +# chmod 664 /var/games/xshisen.scores +#h fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; diff --new-file -ur tmp/xshisen-1.51-1/debian/rules xshisen-1.51-1/debian/rules --- tmp/xshisen-1.51-1/debian/rules 2003-10-29 11:49:58.0 -0500 +++ xshisen-1.51-1/debian/rules 2005-01-27 02:45:32.0 -0500 @@ -64,8 +64,7 @@ DESTDIR=$(CURDIR)/debian/xshisen \ XSHISENDAT=$(CURDIR)/debian/xshisen/usr/share/games/xshisen \ XSHISENLIB=$(CURDIR)/debian/xshisen/usr/share/games/xshisen - chown root.games $(CURDIR)/debian/xshisen/usr/games/xshisen - chmod g+s $(CURDIR)/debian/xshisen/usr/games/xshisen + chown root.root $(CURDIR)/debian/xshisen/usr/games/xshisen chmod 644 $(CURDIR)/debian/xshisen/usr/share/games/xshisen/xshisen.scores # Build architecture-independent files here. diff --new-file -ur tmp/xshisen-1.51-1/main.C xshisen-1.51-1/main.C --- tmp/xshisen-1.51-1/main.C 2003-10-29 11:53:41.0 -0500 +++ xshisen-1.51-1/main.C 2005-01-27 02:27:48.0 -0500 @@ -353,6 +353,7 @@ delete[] scorefile; if (globRes.scoreOnly) { +#ifndef NO_GLOBAL_HIGHSCORE sc-DisplayScore(initial_game_state); #if USE_MOTIF XtAddCallback(*sc, XmNokCallback, (XtCallbackProc)ExitCB, NULL); @@ -360,6 +361,10 @@ XtAddCallback(XtNameToWidget(*sc, *ok_button), XtNcallback, (XtCallbackProc)ExitCB, NULL); #endif +#else /* NO_GLOBAL_HIGHSCORE */ + fprintf(stderr, System score files not enabled.\n); + exit(1); +#endif /* NO_GLOBAL_HIGHSCORE */ } else { GetGameSize(initial_game_state, num_piece_x, num_piece_y); diff --new-file -ur tmp/xshisen-1.51-1/menubar.C xshisen-1.51-1/menubar.C --- tmp/xshisen-1.51-1/menubar.C2002-07-08 01:37:11.0 -0400 +++ xshisen-1.51-1/menubar.C2005-01-27 02:22:48.0 -0500 @@ -158,8 +158,13 @@ (XtCallbackProc)GameCB, (XtPointer)1); XtAddCallback(XtNameToWidget(menushell0, button_2), XtNcallback, (XtCallbackProc)GameCB, (XtPointer)2); +#ifdef NO_GLOBAL_HIGHSCORE +XtVaSetValues(XtNameToWidget(menushell0, button_3), XtNsensitive, + False, NULL); +#else XtAddCallback(XtNameToWidget(menushell0, button_3), XtNcallback, (XtCallbackProc)GameCB, (XtPointer)3); +#endif XtAddCallback(XtNameToWidget(menushell0,
Bug#292065: #292065 numerous security holes in xshisen
Grzegorz B. Prokopski wrote: The whole discussion was quite interesting, but I am also in favor of removing the sgid bit. I am currently w/o signed GPG key and on especially this week on a 14k4 modem that hangs up every few minutes, so fetching anything over 100kB is problematic. Therefore could somebody please just remove this sgid in an NMU? It will pop up a dialog warning that it cannot write to the high score file if the sgid bit is removed. I guess the code that does this could just be disabled too, I can do that if you want. -- see shy jo signature.asc Description: Digital signature
Bug#292065: #292065 numerous security holes in xshisen
On Wed, 2005-26-01 at 14:55 -0500, Joey Hess wrote: Grzegorz B. Prokopski wrote: The whole discussion was quite interesting, but I am also in favor of removing the sgid bit. I am currently w/o signed GPG key and on especially this week on a 14k4 modem that hangs up every few minutes, so fetching anything over 100kB is problematic. Therefore could somebody please just remove this sgid in an NMU? It will pop up a dialog warning that it cannot write to the high score file if the sgid bit is removed. I guess the code that does this could just be disabled too, I can do that if you want. Yes, please do. GBP -- Grzegorz B. Prokopski [EMAIL PROTECTED] SableVM - Free, LGPL'ed Java VM http://sablevm.org Why SableVM ?!? http://sablevm.org/wiki/Features Debian GNU/Linux - the Free OS http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#292065: #292065 numerous security holes in xshisen
On Tue, Jan 25, 2005 at 08:01:00AM +0100, Goswin von Brederlow wrote: [...] Both of them, if exploitable, would be bugs in the Xrm or Xpm library respectively. The same argument can probably made against pretty much any X application and X itself. There is a lot of software that just loads in user defined xpm files and such. The difference is the setgid bit, which AFAICT was the whole point of the bug report. If it is removed, most of the issues aren't problematic anymore. Gruesse, -- Frank Lichtenheld [EMAIL PROTECTED] www: http://www.djpig.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#292065: #292065 numerous security holes in xshisen
Goswin von Brederlow wrote: concerning your 1. Unsafe resource file reading. and 2. Unsafe XSHISENLIB environment variable. Both of them, if exploitable, would be bugs in the Xrm or Xpm library respectively. The same argument can probably made against pretty much any X application and X itself. There is a lot of software that just loads in user defined xpm files and such. Actually there's very little software that is suid/sgid and reads in user-controlled X resource files. In fact xshisen is the only such program I know of, aside from X itself (which I assume does so securely). I think that hole is likely exploitable, and it's not a bug in X, especially given the documentation. It is a bug in the xpm library when a malformed xpm can be exploited. Such holes have been found before (CAN-2004-0914). However, such xpm bugs typically don't let a local user increase their permissions. The fact that xshisen turns a xpm exploit into a gid games exploit is a design hole in xshisen. -- see shy jo signature.asc Description: Digital signature
Bug#292065: #292065 numerous security holes in xshisen
Joey Hess [EMAIL PROTECTED] writes: Goswin von Brederlow wrote: concerning your 1. Unsafe resource file reading. and 2. Unsafe XSHISENLIB environment variable. Both of them, if exploitable, would be bugs in the Xrm or Xpm library respectively. The same argument can probably made against pretty much any X application and X itself. There is a lot of software that just loads in user defined xpm files and such. Actually there's very little software that is suid/sgid and reads in user-controlled X resource files. In fact xshisen is the only such program I know of, aside from X itself (which I assume does so securely). I think that hole is likely exploitable, and it's not a bug in X, especially given the documentation. That might be true for X resource files and the docs sound realy scary (also shown by your segfault). But aren't there any suid/sgid game programs with xpm (or png or jpeg or any other complex lib for that matter) support? Any kde/gnome program can probably be exploited by messing with the theming support of them. At what point do you say this library may not be used in a suid/sgid program? Is it even OK to use libc? It is a bug in the xpm library when a malformed xpm can be exploited. Such holes have been found before (CAN-2004-0914). However, such xpm bugs typically don't let a local user increase their permissions. The fact that xshisen turns a xpm exploit into a gid games exploit is a design hole in xshisen. -- see shy jo So what do you suggest? Fork, drop the suid/sgid in the child, load the xpm and send the raw image through IPC back to the parent? Or create a suid/sgid xshisen-scorefile-writer that capsules the scorfile access (and just that) and run xshisen as normal user? Or should suid/sgid programs never load user-controlled data (like kde/gnome theming or xpms) at all? What are acceptable options? MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#292065: #292065 numerous security holes in xshisen
Goswin von Brederlow wrote: That might be true for X resource files and the docs sound realy scary (also shown by your segfault). But aren't there any suid/sgid game programs with xpm (or png or jpeg or any other complex lib for that matter) support? Any kde/gnome program can probably be exploited by messing with the theming support of them. At what point do you say this library may not be used in a suid/sgid program? Is it even OK to use libc? Um, this has nothing to do with that libraries may be used in a suid program. (Although IIRC you'll find it hard to make apps that use gtk suid, since it has explicit checks for that and refuses to run, since it is known to be insecure.) Well written suid applications look at every avenue the user has to influence the program by changing its operating environment and input data, and make good decisions to limit these channels and ensure that the code that can be affected by them is secure. xshisen is clearly not well designed to be suid, given the choices that were made that provide the user with many avenues to provide bad data to the program. So what do you suggest? Fork, drop the suid/sgid in the child, load the xpm and send the raw image through IPC back to the parent? I suggest that you read my orignal bug report with a little bit more care. I do not enjoy repeating myself or watching a focused bug report be diverged off into useless discussions. -- see shy jo signature.asc Description: Digital signature
Bug#292065: #292065 numerous security holes in xshisen
On Tue, 2005-25-01 at 10:59 +0100, Frank Lichtenheld wrote: On Tue, Jan 25, 2005 at 08:01:00AM +0100, Goswin von Brederlow wrote: [...] Both of them, if exploitable, would be bugs in the Xrm or Xpm library respectively. The same argument can probably made against pretty much any X application and X itself. There is a lot of software that just loads in user defined xpm files and such. The difference is the setgid bit, which AFAICT was the whole point of the bug report. If it is removed, most of the issues aren't problematic anymore. The whole discussion was quite interesting, but I am also in favor of removing the sgid bit. I am currently w/o signed GPG key and on especially this week on a 14k4 modem that hangs up every few minutes, so fetching anything over 100kB is problematic. Therefore could somebody please just remove this sgid in an NMU? Thanks in advance, GBP -- Grzegorz B. Prokopski [EMAIL PROTECTED] SableVM - Free, LGPL'ed Java VM http://sablevm.org Why SableVM ?!? http://sablevm.org/wiki/Features Debian GNU/Linux - the Free OS http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#292065: #292065 numerous security holes in xshisen
Hi, concerning your 1. Unsafe resource file reading. and 2. Unsafe XSHISENLIB environment variable. Both of them, if exploitable, would be bugs in the Xrm or Xpm library respectively. The same argument can probably made against pretty much any X application and X itself. There is a lot of software that just loads in user defined xpm files and such. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]