[36846] in bugtraq
Re: Buffer Overflow in Spider game
daemon@ATHENA.MIT.EDU (van Helsing)
Tue Oct 5 22:39:31 2004
Date: Tue, 5 Oct 2004 07:56:53 +0200
From: van Helsing <vh@helith.net>
To: Steve Kemp <steve@steve.org.uk>
Cc: bugtraq@securityfocus.com
Message-Id: <20041005075653.3765c36e.vh@helith.net>
In-Reply-To: <20041004192346.GA602@steve.org.uk>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1";
boundary="Signature=_Tue__5_Oct_2004_07_56_53_+0200_93S2eEJ=953aT68o"
--Signature=_Tue__5_Oct_2004_07_56_53_+0200_93S2eEJ=953aT68o
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
On Mon, 4 Oct 2004 20:23:46 +0100
Steve Kemp <steve@steve.org.uk> wrote:
> On Sun, Oct 03, 2004 at 12:05:23PM +0300, Security Team wrote:
>
> > A vulnerability has been discovered in the game spider, an
> > application contained in the Debian GNU/Linux distribution.
> > The vulnerability allows a local attacker to gain elevated
> > privileges by overflowing the -s parameter.
> >
> > Impact:
> > The attacker can gain group privileges. By default "games".
>
> Neither Debian stable nor unstable contain any spider binaries
> setuid or setgid.
*cut the linux crap ;)*
He didn't said DEBIAN is affected.
He just said it's contained in Debian.
I would take "contained" as example.... not as "only affected".
And he also didn't said something about getting r00t.
Just group privileges... (getting "games"-gid.. w00w00 ;)).
Even Debian dosn't setuid/setguid spider it's include and I'm sure the
author wouldn't report things wich don't work.
So get the "games"-gid with this error and be happy. ;-)
And spend honor to the guys who allow the "games"-group to use adduser. :)
vh
--Signature=_Tue__5_Oct_2004_07_56_53_+0200_93S2eEJ=953aT68o
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (OpenBSD)
iD8DBQFBYjeu+1+GxO/6gdIRAlCIAJ9ZN87GgboDt6PmgiS/iDXdDxQ0ywCeM7gC
BNpFhkLIVmSkwI7QO9PToLY=
=/Ji6
-----END PGP SIGNATURE-----
--Signature=_Tue__5_Oct_2004_07_56_53_+0200_93S2eEJ=953aT68o--
