NetBSD Security Advisory 2002-025: trek(6) buffer overrun
by Nikola Strahija on October 24th, 2002 There is a buffer overflow in the processing of keyboard input by trek(6). On NetBSD 1.5 and prior, trek(6) is executed via dm(8), so a malicious local user could elevate privilege to group "games". On NetBSD 1.6 and NetBSD-current systems, trek(6) will terminate if the input is too long.
Technical Details
=================
When trek(6) reads in keyboard input, a bounds check was not performed
correctly. If more than 100 characters are entered, a buffer overrun
occurs.
Solutions and Workarounds
=========================
For NetBSD 1.5 systems, the easiest solution is to stop providing trek(6)
to users:
# rm /usr/games/trek
# rm /usr/games/hide/trek
NetBSD 1.6 and -current do not use dm(8) for executing trek(6), so no
real harm will be done - the trek program executes only with the
user's existing privileges.
The following instructions describe how to upgrade your trek(6)
binaries by updating your source tree and rebuilding and
installing a new version of trek(6).
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-10-19
should be upgraded to NetBSD-current dated 2002-10-19 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
games/trek
To update from CVS, re-build, and re-install trek(6):
# cd src
# cvs update -d -P games/trek
# cd games/trek
# make cleandir dependall
# make install
* NetBSD 1.6:
Systems running NetBSD 1.6 sources dated from before
2002-10-22 should be upgraded from NetBSD 1.6 sources dated
2002-10-22 or later.
NetBSD 1.6.1 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
games/trek
To update from CVS, re-build, and re-install trek(6):
# cd src
# cvs update -d -P -r netbsd-1-6 games/trek
# cd games/trek
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2002-10-19 should be upgraded from NetBSD 1.5.*
sources dated 2002-10-19 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
games/trek
To update from CVS, re-build, and re-install trek(6):
# cd src
# cvs update -d -P -r netbsd-1-5 games/trek
# cd games/trek
# make cleandir dependall
# make install
Thanks To
=========
Niels Heinen for reporting this problem.
Revision History
================
2002-10-24 Initial release
More Information
================
Advisories may be updated as new information comes to hand. The most
recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-025.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-025.txt,v 1.6 2002/10/23 08:08:42 itojun Exp $