-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2006-018

		 =================================
Topic:		sail(6), dm(8) and tetris(6) buffer overflows
Version:	NetBSD-current:	source prior to June 01, 2006

		NetBSD 3.0:	affected

		NetBSD 2.1:	affected

		NetBSD 2.0.*:	affected

		NetBSD 2.0:	affected
Severity:	Local privilege escalation
Fixed:		NetBSD-current:		June 01, 2006

		NetBSD-3-0 branch:	June 08, 2006

					   (3.0.1 includes the fix)

		NetBSD-3   branch:	June 08, 2006

		NetBSD-2-1 branch:	June 08, 2006

					   (2.1.1 will include the fix)

		NetBSD-2-0 branch:	June 08, 2006

					   (2.0.4 will include the fix)

		NetBSD-2   branch:	June 08, 2006
Abstract

========
The sail, dungeon master arbiter and tetris games all contain buffer

overflows.  These programs are installed sgid games, and when

successfully exploited the vulnerabilities may allow an attacker to

elevate their privileges to the games group.
The sail vulnerability has been assigned CVE reference CVE-2006-1744.

The tetris vulnerability has been assigned CVE reference CVE-2006-1539.
Technical Details

=================
* When processing user supplied input, sail and dm do not check the

  length of the string supplied by the user before storing it.

* When storing user supplied input, tetris does not check the length

  of the string before storing it.

* When reading in the tetris scores file the data is not vaildated

  before it is stored.
Solutions and Workarounds

=========================
The following instructions describe how to upgrade your games binaries

by updating your source tree and rebuilding and installing a new

version of dm, sail and tetris.
* NetBSD-current:
	Systems running NetBSD-current dated from before 2006-06-01

	should be upgraded to NetBSD-current dated 2006-06-02 or later.
	The following files need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		games/dm/dm.c

		games/sail/pl_main.c

		games/tetris/scores.c
	To update from CVS, re-build, and re-install sail and dm:
		# cd src

		# cvs update -d -P games/dm/dm.c

		# cvs update -d -P games/sail/pl_main.c

		# cvs update -d -P games/tetris/scores.c

		# cd games/dm

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../sail

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../tetris

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 3.*:
	Systems running NetBSD 3.* sources dated from before

	2006-06-08 should be upgraded from NetBSD 3.* sources dated

	2006-06-09 or later.
	The following files need to be updated from the

	netbsd-3 or netbsd-3-0 CVS branch:

		games/dm/dm.c

		games/sail/pl_main.c

		games/tetris/scores.c
	To update from CVS, re-build, and re-install sail and dm:
		# cd src

		# cvs update -d -P -r  games/dm/dm.c

		# cvs update -d -P -r  games/sail/pl_main.c

		# cvs update -d -P -r  games/tetris/scores.c

		# cd games/dm

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../sail

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../tetris

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 2.*:
	Systems running NetBSD 2.* sources dated from before

	2006-06-08 should be upgraded from NetBSD 2.* sources dated

	2006-06-09 or later.
	The following files need to be updated from the

	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:

		games/dm/dm.c

		games/sail/pl_main.c

		games/tetris/scores.c
	To update from CVS, re-build, and re-install sail and dm:
		# cd src

		# cvs update -d -P -r  games/dm/dm.c

		# cvs update -d -P -r  games/sail/pl_main.c

		# cvs update -d -P -r  games/tetris/scores.c

		# cd games/dm

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../sail

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install

		# cd ../tetris

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
Thanks To

=========
Maximillian Dornseif for notification of dm the issue.

Anibal Sacco is credited with the discovery of the sail issue.

Tavis Ormandy is credited with the discovery of the tetris issues.
Revision History

================
	2006-08-10	Initial release
More Information

================
Advisories may be updated as new information becomes available.

The most recent version of this advisory (PGP signed) can be found at

  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-018.tx...
Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2006-018.txt,v 1.8 2006/08/10 18:07:38 adrianp Exp $
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.5 (NetBSD)
iQCVAwUBRNt2Bj5Ru2/4N2IFAQLq8wP9EqP1rYwU1j2Pp8cOc/dM1Nf1GnDyMVIZ

8fk/eoQvvuPaJ4OiLG5l+fnxD0DtczX7WvFRKHCIks8mQPlpNSFpa1z1vaNO3Xxh

PTkZkkUADkWy3Z0aHmZb7MmL/cSuY2hgOab5TpThCSSlOcHfHY51QYvrJdm0rJv1

18SS1eBOpKE=

=/9Fg

-----END PGP SIGNATURE-----