FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

multiple buffer overflows in xboing

Affected packages
xboing < 2.4_2


VuXML ID e25566d5-6d3f-11d8-83a4-000a95bc6fae
Discovery 2003-01-01
Entry 2004-03-05
Modified 2004-03-29

Steve Kemp reports (in a Debian bug submission):

Due to improper bounds checking it is possible for a malicious user to gain a shell with membership group 'games'. (The binary is installed setgid games).

Environmental variables are used without being bounds-checked in any way, from the source code:

   /* Use the environment variable if it exists */
   if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
	strcpy(filename, str);
	strcpy(filename, HIGH_SCORE_FILE);

    if ((ptr = getenv("HOME")) != NULL)
	(void) strcpy(dest, ptr);

Neither of these checks are boundschecked, and will allow arbitary shell code to be run.


Bugtraq ID 9764
CVE Name CVE-2004-0149