Bug 65317 - (CVE-2005-0099) VUL-0: CVE-2005-0099: abuse: two security-related bugs
VUL-0: CVE-2005-0099: abuse: two security-related bugs
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Lukas Tinkl
Security Team bot
CVE-2005-0099: CVSS v2 Base Score: 2....
Depends on:
  Show dependency treegraph
Reported: 2005-01-31 17:24 UTC by Thomas Biege
Modified: 2021-11-08 14:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

abuse-patch2.diff (4.79 KB, patch)
2005-02-03 01:45 UTC, Thomas Biege
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-01-31 17:24:52 UTC
Hello Lukas, 
these two bugs should be fixed in stable. 
Steve Kemp discovered several vulnerabilities in abuse, the SDL port 
of the Abuse action game, which could lead to the execution of 
arbitrary code with elevated privileges since it is installed setuid 
root.  The Common Vulnerabilities and Exposures project identifies the 
following problems: 
    Buffer overflows in the command line handling. 
    Insecure file creation may lead to the creation of arbitrary 
I'm attaching Steve's patches for both.  Please let me know if we 
need coordination. 
Comment 1 Thomas Biege 2005-01-31 17:24:52 UTC
<!-- SBZ_reproduce  -->
Comment 2 Thomas Biege 2005-01-31 17:25:49 UTC
I forward you the patch in an email. 
Comment 3 Lukas Tinkl 2005-02-02 19:05:17 UTC
Is there a corrected patch? The one you'd sent me didn't look ok.
Comment 4 Thomas Biege 2005-02-03 00:54:18 UTC
Do you mean parts liek this?

-      strcpy(name,argv[i]);
+      strncpy(name,argv[i],sizeof(name)-1);
+      name[sizeof(name)]='\0';

And the setuid() stuff?

I'll rewrite it and attach it here...
Comment 5 Thomas Biege 2005-02-03 01:45:46 UTC
Created attachment 28150 [details]

Patch for 9.0.

The code looks like it contains more "security gems" but it's a waste of time
to audit code of games. :)
Comment 6 Lukas Tinkl 2005-02-07 21:59:26 UTC
Fixed package submitted
Comment 7 Thomas Biege 2009-10-13 21:00:59 UTC
CVE-2005-0099: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)