Bug#205048: ITP: neverball -- A colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out
Package: wnpp Version: unavailable; reported 2003-08-12 Severity: wishlist * Package name: neverball Version : 20030805a Upstream Author : Robert Kooima [EMAIL PROTECTED] * URL : http://aoeu.snth.net/neverball/ * License : GPL Description : A colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out Neverball is a colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out. It requires patience, concentration and a bit of luck. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux yellow 2.4.20-3-686 #1 Sat Jun 7 22:34:55 EST 2003 i686 Locale: LANG=C, LC_CTYPE=C
Bug#205048: ITP: neverball -- A colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out
On Tue, Aug 12, 2003 at 09:59:45AM +0200, Max Gilead wrote: Package: wnpp Version: unavailable; reported 2003-08-12 Severity: wishlist * Package name: neverball Version : 20030805a Upstream Author : Robert Kooima [EMAIL PROTECTED] * URL : http://aoeu.snth.net/neverball/ * License : GPL Description : A colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out Neverball is a colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out. It requires patience, concentration and a bit of luck. Please apply the enclosed patch before packaging - this closes a buffer overflow attack which is locally exploitable. (I'm not sure if you're planning on making the binary setgid games, if you are you should certainly apply this!) Steve -- www.steve.org.uk --- config.c2003-08-12 09:42:54.0 +0100 +++ config.c-orig 2003-08-12 09:43:54.0 +0100 @@ -66,18 +66,14 @@ if ((dir = getenv(HOME))) { -strcpy(dst, dir); -strcat(dst, /); -strcat(dst, src); -return 1; + snprintf(dst, sizeof(dst)-1, %s/%s, dir, src); + return( 1 ); } if ((vol = getenv(HOMEDRIVE)) (dir = getenv(HOMEPATH))) { -strcpy(dst, vol); -strcat(dst, dir); -strcat(dst, \\); -strcat(dst, src); + snprintf(dst, sizeof(dst)-1, %s%s\\%s, +vol, dir, src ); return 1; }
Bug#205048: ITP: neverball -- A colorful 3D arcade game in which you tilt the floor to roll the ball through the obstacle course before time runs out
On Tue, Aug 12, 2003 at 09:54:22AM +0100, Steve Kemp wrote: Please apply the enclosed patch before packaging - this closes a buffer overflow attack which is locally exploitable. [...] --- config.c 2003-08-12 09:42:54.0 +0100 +++ config.c-orig 2003-08-12 09:43:54.0 +0100 @@ -66,18 +66,14 @@ if ((dir = getenv(HOME))) { -strcpy(dst, dir); -strcat(dst, /); -strcat(dst, src); -return 1; + snprintf(dst, sizeof(dst)-1, %s/%s, dir, src); + return( 1 ); } if ((vol = getenv(HOMEDRIVE)) (dir = getenv(HOMEPATH))) { -strcpy(dst, vol); -strcat(dst, dir); -strcat(dst, \\); -strcat(dst, src); + snprintf(dst, sizeof(dst)-1, %s%s\\%s, + vol, dir, src ); return 1; } It would be a good idea to check the return value of snprintf() too - and be careful, doing things with snprintf()'s return value portably is a pain - since otherwise you may produce wrong results instead of overrunning a buffer and not notice. I wish something like man-db's strappend() [1] were more widely used. I've been fixing a lot of buffer overruns by moving to that (he says, going off to try to stop the damn thing segfaulting). [1] Append a varargs list of strings to its first argument, allocating or reallocating memory as necessary. If the first argument is NULL, concatenate all the strings given into newly allocated memory. The above would look like this: char *dst; if ((dir = getenv(HOME))) { dst = strappend(NULL, dir, /, src, NULL); return 1; } if ((vol = getenv(HOMEDRIVE)) (dir = getenv(HOMEPATH))) { dst = strappend (NULL, vol, dir, \\, src, NULL); return 1; } -- Colin Watson [EMAIL PROTECTED]