http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203541

From: Steve Kemp <skx@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: crafty.bin locally exploitable to gain gid 'games'.
Date: Wed, 30 Jul 2003 20:15:57 +0100

Package: crafty
Version: 19.1-1
Severity: normal
Tags: security upstream patch



Intro
-----

   crafty is the strong chess program played on ICC.

   It installs a file 'crafty.bin' upon both Debian Stable, and Debian
  unstable as setgid games:


skx@hell:~$ ls -l /usr/games/crafty*
-rwxr-xr-x    1 root     root          384 Dec 17  2002 /usr/games/crafty
-rwxr-sr-x    1 root     games     1128712 Dec 17  2002 /usr/games/crafty.bin


Problems
--------

   The setgid file, crafty.bin, contains a pair of flaws in it's command
  line handling.

   Both flaws are essentially the same, and involve a lack of bounds checking
  on the arguments supplied by the user.
   Either of these flaws allow a malicious local user to gain group 'games'
  permissions.


   From main.c:2901
       else if (strstr(argv[i],"path")) {
         strcpy(buffer,argv[i]);
         result=Option(tree);
         if (result == 0)
           printf("ERROR \"%s\" is unknown command-line option\n",buffer);
         display=tree->pos;
       }


       main.c:2934
       if (argc > 1) {
       for (i=1;i<argc;i++) if (strcmp(argv[i],"c"))
	  if ((argv[i][0]<'0' || argv[i][0] > '9') &&
	     !strstr(argv[i],"path")) {
	    strcpy(buffer,argv[i]);
             result=Option(tree);
             if (result == 0)
              printf("ERROR \"%s\" is unknown command-line option\n",buffer);
           }
       }


Exploit
-------

   Sample exploit code for the first issue is available upon request,
  I've not included it here as it's not terribly interesting.


Fixes
-----

   The supplied diff, which has been compiled and tested, will close
  both these issues.


Steve
---
www.steve.org.uk